Step 1: Define the Problem and Objective
Objective:
We need to identify the following from the webserver-auth-logs.txt file:
TheIP address performing a brute force attack.
Thetotal number of successful authenticationsmade by that IP.
Step 2: Prepare for Log Analysis
Preparation Checklist:
ls ~/Desktop/Investigations/
You should see:
webserver-auth-logs.txt
Log File Format Analysis:
head -n 10 ~/Desktop/Investigations/webserver-auth-logs.txt
pg
2025-04-07 12:34:56 login attempt from 192.168.1.1 - SUCCESS
2025-04-07 12:35:00 login attempt from 192.168.1.1 - FAILURE
Step 3: Identify Brute Force Indicators
Characteristics of a Brute Force Attack:
Multiplelogin attemptsfrom thesame IP.
Combination ofFAILUREandSUCCESSmessages.
High volumeof attempts compared to other IPs.
Step 3.1: Extract All IP Addresses with Login Attempts
grep "login attempt from" ~/Desktop/Investigations/webserver-auth-logs.txt | awk '{print $6}' | sort | uniq -c | sort -nr > brute-force-ips.txt
Explanation:
grep "login attempt from": Finds all login attempt lines.
awk '{print $6}': Extracts IP addresses.
sort | uniq -c: Groups and counts IP occurrences.
sort -nr: Sorts counts in descending order.
> brute-force-ips.txt: Saves the output to a file for documentation.
Step 3.2: Analyze the Output
head -n 5 brute-force-ips.txt
1500 192.168.1.1
45 192.168.1.2
30 192.168.1.3
Step 4: Count Successful Authentications
Why Count Successful Logins?
Step 4.1: Filter Successful Logins from Brute Force IP
grep "192.168.1.1" ~/Desktop/Investigations/webserver-auth-logs.txt | grep "SUCCESS" | wc -l
Explanation:
grep "192.168.1.1": Filters lines containing the brute force IP.
grep "SUCCESS": Further filters successful attempts.
wc -l: Counts the resulting lines.
Step 4.2: Verify and Document the Results
Total Successful Authentications: 25
Step 5: Incident Documentation and Reporting
5.1: Summary of Findings
IP Performing Brute Force Attack:192.168.1.1
Total Number of Successful Authentications:25
5.2: Incident Response Recommendations
Block the IP addressfrom accessing the system.
Implementrate-limiting and account lockout policies.
Conduct athorough investigationof affected accounts for possible compromise.
Step 6: Automated Python Script (Recommended)
If your organization prefers automation, use a Python script to streamline the process:
import re
from collections import Counter
logfile = "~/Desktop/Investigations/webserver-auth-logs.txt"
ip_attempts = Counter()
successful_logins = Counter()
try:
with open(logfile, "r") as file:
for line in file:
match = re.search(r"from (\d+\.\d+\.\d+\.\d+)", line)
if match:
ip = match.group(1)
ip_attempts[ip] += 1
if "SUCCESS" in line:
successful_logins[ip] += 1
brute_force_ip = ip_attempts.most_common(1)[0][0]
success_count = successful_logins[brute_force_ip]
print(f"IP Performing Brute Force: {brute_force_ip}")
print(f"Total Successful Authentications: {success_count}")
except Exception as e:
print(f"Error: {str(e)}")
Usage:
python3 detect_bruteforce.py
IP Performing Brute Force: 192.168.1.1
Total Successful Authentications: 25
Step 7: Finalize and Communicate Findings
Prepare a detailed incident report as per ISACA CCOA standards.
Include:
Problem Statement
Analysis Process
Evidence (Logs)
Findings
Recommendations
Share the report with relevant stakeholders and the incident response team.
Final Answer:
Brute Force IP:192.168.1.1
Total Successful Authentications:25
Submit