On Day 14 of the challenge, my focus was to take a more in-depth approach in analyzing the data from my Ubuntu SSH server, specifically to detect brute force activity. This involved querying the data within my Elastic dashboard, setting up alerts to detect potential brute force attacks, and creating a visual dashboard to monitor the activity.
What is a Brute Force Attack?
A brute force attack is a method used by attackers to gain unauthorized access to systems by repeatedly trying different password combinations until the correct one is found. These attacks can be automated and, if successful, can lead to unauthorized access to critical systems. My goal was to analyze SSH authentication data to detect failed login attempts, which is often a sign of brute force attacks.
Steps Taken:
Accessing the Data
I started by logging into the Discover tab on my Elastic dashboard. Since multiple agents were sending data, I filtered down to the MyDFIR-Linux_Heyakru agent, which was collecting SSH logs from my Ubuntu server.
Searching for Failed SSH Login Attempts
To identify potential brute force attempts, I began by searching for the term “Failed” in the search bar. This returned logs for all failed authentication activities.
To make the search more specific to failed SSH login attempts, I added the system.auth.ssh.event field to my query.
Adding Important Fields
Next, I added the following fields to analyze the failed login attempts in more detail:
- User: To see which user accounts were targeted.
- Source IP: To identify where the login attempts were coming from.
- Country: To geolocate the origins and identify any unfamiliar or suspicious regions.
This gave me a comprehensive view of the failed login attempts, including which users were targeted and where the attempts originated.
Saving the Query for Reuse
After refining the search, I saved the query so I can quickly monitor failed SSH login attempts without having to set it up again each time.
Setting Up an Alert for Brute Force Detection
Creating a Brute Force Alert
To automate detection of potential brute force attacks, I went to the Alerting tab in Elastic and created an alert called MyDFIR-SSH Brute Force Activity-Heyakru.
Trigger Criteria: I set the alert to trigger if there are 5 failed SSH login attempts within a 5-minute window. This threshold captures rapid, repeated login failures, a common sign of brute force attacks.
Once configured, I saved the alert, which will notify me if these conditions are met.
Building a Visual Dashboard
Creating a Dashboard with Geolocation Data
To visualize attack patterns, I created a dashboard using my query results. I went to the Map tab and used the following query:
system.auth.ssh.event : * and agent.name: MyDFIR-Linux-Heyakru and system.auth.ssh.event: Failed
Configuring the Map
I added a Choropleth layer to the map, using world country boundaries from the Elastic Maps Service. I configured it to display geolocation data based on the source.geo.country_iso_code field, giving me a visual representation of the countries from which the failed login attempts were originating.
- Boundaries source: Administrative boundaries from the Elastic Maps Service
- EMS boundaries: World Countries
- Join field: ISO 3166-1 alpha-2 code
- Data view: Default data view
- Join field: source.geo.country_iso_code
I saved the map as SSH Failed Authentication – Network Map and added it to a newly created dashboard named SSH Failed Authentication Dashboard.
Visualizing Successful Logins
To stay vigilant, I also created a map view to monitor successful SSH logins. I noticed some results from Bangladesh, which matched my own login activity during testing, so nothing suspicious was detected here.
Conclusion
Day 14 of the ‘MyDFIR 30-Day SOC Challenge’ was crucial in enhancing my ability to detect brute force attacks. By querying authentication data, setting alerts, and visualizing failed SSH logins on a dashboard, I created an effective monitoring system. This experience strengthened my skills in Elasticsearch and proactive threat detection, equipping me to handle unauthorized access attempts more efficiently in the future.