Challenge 2: Security Log Analysis

Investigate authentication logs to identify a security breach.

Incident Alert: Multiple failed login attempts detected on web-prod-01. Investigate the logs below and complete the incident report.

/var/log/auth.log

Oct 06 14:15:12 web-prod-01 sshd[12453]: Failed password for root from 192.168.1.100 port 45231 ssh2
Oct 06 14:18:33 web-prod-01 sshd[12489]: Accepted password for jsmith from 192.168.1.105 port 52341 ssh2
Oct 06 14:20:01 web-prod-01 sshd[12501]: Failed password for admin from 203.0.113.47 port 33421 ssh2
Oct 06 14:20:15 web-prod-01 sshd[12502]: Failed password for admin from 203.0.113.47 port 33422 ssh2
Oct 06 14:20:29 web-prod-01 sshd[12503]: Failed password for admin from 203.0.113.47 port 33423 ssh2
Oct 06 14:20:43 web-prod-01 sshd[12504]: Failed password for admin from 203.0.113.47 port 33424 ssh2
Oct 06 14:20:57 web-prod-01 sshd[12505]: Failed password for admin from 203.0.113.47 port 33425 ssh2
Oct 06 14:21:11 web-prod-01 sshd[12506]: Failed password for admin from 203.0.113.47 port 33426 ssh2
Oct 06 14:21:25 web-prod-01 sshd[12507]: Failed password for admin from 203.0.113.47 port 33427 ssh2
Oct 06 14:21:39 web-prod-01 sshd[12508]: Failed password for admin from 203.0.113.47 port 33428 ssh2
Oct 06 14:21:53 web-prod-01 sshd[12509]: Failed password for admin from 203.0.113.47 port 33429 ssh2
Oct 06 14:22:07 web-prod-01 sshd[12510]: Failed password for admin from 203.0.113.47 port 33430 ssh2
Oct 06 14:22:21 web-prod-01 sshd[12511]: Failed password for admin from 203.0.113.47 port 33431 ssh2
Oct 06 14:22:35 web-prod-01 sshd[12512]: Failed password for admin from 203.0.113.47 port 33432 ssh2
Oct 06 14:22:49 web-prod-01 sshd[12513]: Failed password for admin from 203.0.113.47 port 33433 ssh2
Oct 06 14:23:03 web-prod-01 sshd[12514]: Failed password for admin from 203.0.113.47 port 33434 ssh2
Oct 06 14:23:17 web-prod-01 sshd[12515]: Failed password for admin from 203.0.113.47 port 33435 ssh2
Oct 06 14:23:31 web-prod-01 sshd[12516]: Failed password for admin from 203.0.113.47 port 33436 ssh2
Oct 06 14:23:45 web-prod-01 sshd[12517]: Accepted password for admin from 203.0.113.47 port 33437 ssh2
Oct 06 14:24:12 web-prod-01 sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/bin/bash
Oct 06 14:25:33 web-prod-01 sshd[12601]: Accepted password for dbadmin from 192.168.1.110 port 48192 ssh2
Oct 06 14:28:45 web-prod-01 sshd[12633]: Failed password for test from 192.168.1.115 port 52211 ssh2

Incident Report Form

Attacker IP Address

Attack Type

Compromised Account

Breach Time (HH:MM:SS)

Investigation Tips

Look for patterns: Multiple failed logins from the same IP indicate a brute force attack
Track the timeline: Note when attempts start and when access is gained
Identify the target: Which account was being targeted?
Find the breach: Look for "Accepted password" after multiple failures