Log Analysis: spot SSH attacks in auth.log
The defender side of the pentest lesson: your VM has 200 synthetic SSH brute-force entries in /var/log/auth.log. With grep, awk and sort you filter out how many failed login attempts there were, which IP is the dominant attacker and how many unique source IPs tried. Four tasks, around 30 minutes. Pure defense — these skills you need every day once a server is live.
Read auth.log like a SOC analyst
Log analysis: finding SSH attacks in auth.log
When a server is live, it logs every login attempt. These logs are gold: they show who attacked and when. As a defender you analyse them with classic command-line tools — a daily practical skill, not a toy.
Key terms & tools
/var/log/auth.log: the authentication log (logins, sudo, SSH).grep: filters lines by a pattern.awk: splits lines into fields and prints specific columns.sort/uniq -c: sort and count — ideal to answer "which IP most often?".
On this VM /var/log/auth.log contains 200 synthetic brute-force entries. Write each result into the specified file under /tmp/.
Your goal
You count the failed attempts, find the dominant attacker, count the unique source IPs, and build a ban list.
Exercises
1. Count failed logins
Task: count failed attempts. Count how many "Failed password" lines are in the log and write only the number to
/tmp/failed-count.txt.grep -c "Failed password" /var/log/auth.log > /tmp/failed-count.txtgrep -ccounts matching lines instead of printing them.Check:
/tmp/failed-count.txtcontains exactly200.2. Find the top attacker IP
Task: find the dominant attacker IP. Which IP attacked most often? Extract the IPs, count them, and take the most frequent. Write only the IP to
/tmp/top-attacker.txt.grep "Failed password" /var/log/auth.log | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rn | head -1 | awk '{print $2}' > /tmp/top-attacker.txtStep by step: pull out IPs → sort → count (
uniq -c) → sort by frequency descending → take the top → only the IP column (awk '{print $2}').Check:
/tmp/top-attacker.txtcontains203.0.113.42.3. Count unique source IPs
Task: count unique attackers. How many different IPs tried? Write only the number to
/tmp/unique-attackers.txt.grep "Failed password" /var/log/auth.log | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u | wc -l > /tmp/unique-attackers.txtsort -umakes the IPs unique,wc -lcounts the lines.Check:
/tmp/unique-attackers.txtcontains5.4. Build a ban list for fail2ban
Task: build a ban list. Create a list of all unique attacker IPs (one per line) — you could hand it to fail2ban or a firewall. Write it to
/tmp/ban-list.txt.grep "Failed password" /var/log/auth.log | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u > /tmp/ban-list.txtCheck:
/tmp/ban-list.txtcontains203.0.113.42,203.0.113.17and198.51.100.7among others.
Now practice it yourself
Reading is good – doing is better. Start this course on a real Linux VM, right in your browser. A free account is all it takes.
Start for freeLab content under CC BY 4.0 – free to use with attribution (© TechLogia).