Brute Force Attack Incident Report

SOC Investigation • Linux Authentication Logs • Threat Detection Workflow

Incident Overview

This investigation simulates a brute force SSH attack on a Linux system using authentication logs and CLI-based analysis techniques.

Methodology

We enabled logging and prepared the system for authentication monitoring.

sudo apt install rsyslog -y sudo systemctl enable rsyslog sudo systemctl start rsyslog

Step-by-Step Investigation

Step 1 — Identify log source

Check if authentication logs exist.

cat /var/log/auth.log
Step 2 — Enable logging service

Activate system logging.

sudo apt install rsyslog -y sudo systemctl enable rsyslog sudo systemctl start rsyslog
Step 3 — Verify logs

Confirm log generation.

ls /var/log/auth.log
Step 4 — Simulate attack

Create failed login attempts.

echo "Failed password for invalid user admin from 192.168.1.10" | sudo tee -a /var/log/auth.log echo "Failed password for root from 192.168.1.10" | sudo tee -a /var/log/auth.log echo "Failed password for kali from 192.168.1.10" | sudo tee -a /var/log/auth.log
Step 5 — Filter logs
grep "Failed password" /var/log/auth.log
Step 6 — Extract IP
grep "Failed password for" /var/log/auth.log | awk '{print $(NF-3)}'
Step 7 — Aggregate data
sort uniq -c sort -nr

Log Analysis

Failed password for invalid user admin from 192.168.1.10 Failed password for root from 192.168.1.10 Failed password for kali from 192.168.1.10

Detection Result

IF failed login attempts ≥ 5 THEN trigger brute force alert

192.168.1.10 classified as brute force source