We covered Linux authentication logs, log files locations in Linux, Linux log analysis tools available in Linux and took a case study where we analyzed SSH brute force attack that resulted in server compromise and backdoor installed for persistence.

Offensive Security Certified Professional Study Notes

OSINT Study Notes

Understanding Log Files

Log files are records of events committed to a file in a list format. They can include all sorts of information about events that happened at a particular time. Every device on the network creates log files, thus giving you a history of what’s been happening.
Logs typically contain five headed-up areas. They are:

  • Timestamp –the time of the event. 
  • Log level – how severe or important the event is.
  • Username– who caused the event.
  • Service or application – what caused the event.
  • Event description – what has happened.

Linux Authentication Logs

var/log/auth.log
The authentication log contains information
related to successful and unsuccessful logins in addition to the commands executed after a session is opened due to successful authentication.
/var/log/wtmp
History of login and logout activities.

Linux Logs Analysis

Example commands used in analyzing Linux authentication logs:

Auditing authentication logs

tail /var/log/auth. log
grep -i "fail" /var/log/auth. log

Listing stats about services used in authentication

cat auth.log | cut -d' ' -f 6 | cut -d[ -f1 | sort | uniq -c | sort -nr

Viewing stats about failed login attempts sorted by user

cat auth.log | grep Failed | cut -d: -f4 | cut -d' ' -f5- | rev | cut -d' ' -f6- | rev | sort | uniq -c | sort -nr

Viewing successful authentication logs

cat auth.log | grep Accepted

View currently logged in users

utmpdump wtmp

Brute Force Attacks Detectio By Analyzing Linux Authentication Logs

Brute force attacks result in a lot of faield login attempts which can be viewed using the commands shown above. If these failed login attempts result in successful brute force attack is manifested, it will be followed by successful login attempts shown in auth.log.

Video Walkthrough | SSH Brute Force Attacks Analysis

,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles