Introduction
On Day 12 of my 30-Day MyDFIR SOC Challenge, I created a new Ubuntu Server (version 24.02) to dive deeper into log analysis, specifically focusing on authentication logs. Here’s a step-by-step breakdown of my experience:
Server Deployment
I started by navigating to my Vultr dashboard and clicked the Deploy button to set up a new server. Since my location is Bangladesh, I selected Bangalore as the server location for better proximity and performance. I didn’t need a high-performance server, so I opted for Cloud Compute – Shared CPU with the following specifications:
- 25 GB SSD Storage
- 1 vCPU
- 1 GB Memory
Following the naming convention required for the giveaway I’m participating in, I named the server accordingly and clicked Deploy.
Once the server was deployed, I connected to it using the following SSH command in my terminal:
ssh root@<my-server-ip>
Initial Setup and Updates
Upon logging into the server, the first task was to update and upgrade all the packages to ensure the system was up-to-date. I used the following command:
apt-get update && apt-get upgrade -y
After the updates were completed, I navigated to the /var/log directory where the system stores its logs:
cd /var/log
I ran the ls command to list all files in this directory, and among the numerous log files, I was particularly interested in the auth.log file, which contains authentication logs.
Authentication Log Analysis
I opened the auth.log file to examine the contents using:
cat auth.log
The file returned a vast amount of authentication-related information. However, I was specifically interested in finding failed authentication attempts. To do this, I filtered the log data using the grep command:
grep -i failed auth.log
This command returned all failed authentication attempts.
To make the data even more precise, I focused on failed attempts for the root user by modifying the command as follows:
grep -i failed auth.log | grep -i root
Extracting IP Addresses of Failed Attempts
For further analysis, I decided to extract the IP addresses from where the failed authentication attempts originated. I modified my previous command by incorporating the cut command to display only the relevant IP addresses:
grep -i failed auth.log | grep -i root | cut -d ' ' -f 9
This filtered the output to display only the IP addresses associated with the failed root authentication attempts.
This command returned all failed authentication attempts.
Conclusion
Day 12 of the 30-Day MyDFIR SOC Challenge provided me with hands-on experience in server deployment, log analysis, and data filtering. By setting up an Ubuntu server, I explored the auth.log file to identify failed authentication attempts, specifically focusing on those targeting the root user. Through the use of essential Linux commands like grep and cut, I gained valuable insights into filtering log data and isolating key information such as IP addresses.
This exercise enhanced my understanding of authentication logs and set the foundation for deeper log analysis in the future, as I left the server running to accumulate more data. It was a practical session that strengthened my log analysis skills, a vital component in cybersecurity monitoring and incident response.