SSH (Secure Shell) is a secure communication protocol. It is a network protocol that allows users a secure way to access a computer over an unsecured network. It allows computer to talk to each other, using a secure tunnel that nobody else can understand.
A SSH brute force attack is when an attacker keeps on trying a common username and password on a server until they find a match via SSH.
Check if the process sshd is running using the following command:
ps aux | grep sshd
*Note that SSH is already pre-installed and running in the Amazon Linux VM.
Linux logs gives a visual history of everything that has been happening in a Linux operating system. If anything goes wrong, they give a useful overview of events in order to help the administrator to seek out the culprits.
Redhat-based systems (e.g. CentOS or RHEL) -> /var/log/messages & /var/log/secure
Debian-based systems (e.g. Ubuntu) -> /var/log/syslog & /var/log/secure
/var/log/syslog or /var/log/messages: Shows general messages and info regarding the system. Essentially, it is a data log of all activity throughout the global system.
/var/log/auth.log or /var/log/secure: Stores authentication logs for both successful or failed logins, and authentication processes.
*Note that the Amazon Linux VM is Redhat-based system. Hence, we will be looking into /var/log/messages and /var/log/secure.
As there are many log entries, it is best that we filter the logs to only look at SSH related logs. The following command will only give SSH related log lines:
grep 'sshd' /var/log/secure
Successful SSH login logged in /var/log/secure:
When a user successfully SSH into the Linux VM, there will be a log that says Accepted password for testname (testname is the username that I created). Right next to it sits the IP address along with the port that was allocated by SSH for the connection attempt.
Unsuccessful SSH login logged in /var/log/secure
If a user unsuccessfully SSH login into the Linux VM due to entering an incorrect/invalid credentials, there will be a log that says Failed password for testname. Depending on the number of entries of failed password, it could indicate that someone is attempting a SSH brute-force attack.
On the other hand, I was unable to find SSH login related log lines in /var/log/messages because /var/log/messages is mainly used for storing logs related to general info about the Linux system.
In conclusion, looking into /var/log/secure is a good way to find out if there was any possible SSH brute-force attempts on the system as it logs every attempted SSH login. However, due to the large number of logs, filtering the logs is necessary to save time and to improve efficiency.