2. Once Linux VM is live with SSH service running, look at /var/log/syslog or /var/log/auth.log for ssh brute-force attempts

Assign
Date
‣
Status
Completed
Property

What is SSH?

SSH (Secure Shell) is a secure communication protocol. It is a network protocol that allows users a secure way to access a computer over an unsecured network. It allows computer to talk to each other, using a secure tunnel that nobody else can understand.

What is SSH brute-force?

A SSH brute force attack is when an attacker keeps on trying a common username and password on a server until they find a match via SSH.

How to check if SSH is running on the Linux VM?

Check if the process sshd is running using the following command:
ps aux | grep sshd
notion image
*Note that SSH is already pre-installed and running in the Amazon Linux VM.

Linux Logs

Linux logs gives a visual history of everything that has been happening in a Linux operating system. If anything goes wrong, they give a useful overview of events in order to help the administrator to seek out the culprits.
Redhat-based systems (e.g. CentOS or RHEL) -> /var/log/messages & /var/log/secure
Debian-based systems (e.g. Ubuntu) -> /var/log/syslog & /var/log/secure
/var/log/syslog or /var/log/messages: Shows general messages and info regarding the system. Essentially, it is a data log of all activity throughout the global system.
/var/log/auth.log or /var/log/secure: Stores authentication logs for both successful or failed logins, and authentication processes.
 
*Note that the Amazon Linux VM is Redhat-based system. Hence, we will be looking into /var/log/messages and /var/log/secure.
notion image
 
As there are many log entries, it is best that we filter the logs to only look at SSH related logs. The following command will only give SSH related log lines:
grep 'sshd' /var/log/secure
Successful SSH login logged in /var/log/secure:
notion image
When a user successfully SSH into the Linux VM, there will be a log that says Accepted password for testname (testname is the username that I created). Right next to it sits the IP address along with the port that was allocated by SSH for the connection attempt.
Unsuccessful SSH login logged in /var/log/secure
notion image
If a user unsuccessfully SSH login into the Linux VM due to entering an incorrect/invalid credentials, there will be a log that says Failed password for testname. Depending on the number of entries of failed password, it could indicate that someone is attempting a SSH brute-force attack.
 
On the other hand, I was unable to find SSH login related log lines in /var/log/messages because /var/log/messages is mainly used for storing logs related to general info about the Linux system.
notion image
In conclusion, looking into /var/log/secure is a good way to find out if there was any possible SSH brute-force attempts on the system as it logs every attempted SSH login. However, due to the large number of logs, filtering the logs is necessary to save time and to improve efficiency.