INCIDENT RESPONSE — EASY ⭐⭐
IR-06
BRUTE FORCE SSH DETECTION — LINUX AUTH LOG ANALYSIS
Loading incident: SOC-IR-0051 — SSH brute force alert...

OBJECTIVES

Read the incident ticket
Identify the attacking IP address
Count the failed login attempts
Determine if any login succeeded
Identify which username was targeted
Add a firewall block rule for the attacker
Submit the IR report
🎫
Incident Ticket
📋
Auth Log
📊
Attack Summary
🔥
Firewall
📝
Notes
📄
IR Report
SOC WORKSTATION
Ticket
auth.log
Summary
Firewall
Notes
IR Report
--:--:--
PHASE 1 — TRIAGE
MISSION BRIEF
IR-09 — EASY ⭐⭐ — SEC+ / CySA+

BRUTE FORCE SSH DETECTION

TICKET: SOC-IR-0051 | Server: web01.apexcorp.internal | Priority: HIGH

SCENARIO

An IDS alert fired for a high volume of SSH connection attempts against web01.apexcorp.internal (10.10.1.10). The server is a Linux web server running Ubuntu 22.04 with SSH exposed on port 22. Your task is to analyse the /var/log/auth.log file, determine the scope of the attack, and recommend containment.

WHAT TO DO

  • Read the Incident Ticket
  • Open auth.log — find the failed login attempts
  • Check the Attack Summary for statistics
  • Use the Firewall tool to block the attacker
  • Submit your findings in the IR Report

KEY CONCEPTS

Brute force SSH — attacker attempts many username/password combinations against an SSH service. Unlike credential stuffing, the attacker does not have known passwords — they are guessing.

/var/log/auth.log — Linux system log recording all authentication events including SSH attempts. Failed attempts appear as "Failed password for [user] from [IP]".

iptables / ufw — Linux firewall tools. Blocking the attacker's IP prevents further attempts and is the first containment step.

SERVER DETAILS

ItemDetail
Hostnameweb01.apexcorp.internal
IP10.10.1.10
OSUbuntu 22.04 LTS
SSH Port22 (default)
ExposureInternet-facing (DMZ)
INCIDENT TICKET — SOC-IR-0051
SOC-IR-0051 — SSH Brute Force Attack
Severity:
HIGH
Created:
2026-05-09 03:42 UTC
Source:
IDS Alert — Snort rule: SSH_BRUTE_FORCE
Target:
web01.apexcorp.internal (10.10.1.10)
Service:
SSH / Port 22
Status:
OPEN — Awaiting analyst triage
ALERT DESCRIPTION

At 03:38 UTC the IDS triggered on a high rate of SSH authentication failures against web01. The Snort rule SSH_BRUTE_FORCE fires when more than 20 failed SSH attempts are detected from a single source within 60 seconds. Review /var/log/auth.log for the full picture.

Preliminary data from the IDS:
— Source IP: 203.0.113.47
— Attempts in first minute: 86
— Usernames attempted: multiple (root, admin, ubuntu, www-data...)
— Login succeeded: UNKNOWN — check auth.log

ANALYST TASKS
1. Confirm the attack in auth.log
2. Determine if the attacker succeeded in logging in
3. Identify the most targeted username
4. Add a firewall block rule for the attacking IP
5. Recommend longer-term hardening actions
/var/log/auth.log — web01.apexcorp.internal
All
Failed
Accepted
203.0.113.47
Click a line to inspect it
ATTACK SUMMARY — SOC-IR-0051
BRUTE FORCE STATISTICS — 203.0.113.47
TOTAL ATTEMPTS
312
Over 22 minutes
FAILED LOGINS
311
All rejected
SUCCESSFUL LOGINS
1
root — 03:59 UTC
TOP USERNAME
root
248 of 312 attempts
⚠ CRITICAL — ROOT LOGIN SUCCEEDED AT 03:59 UTC
The attacker successfully authenticated as root at 03:59:14 UTC using password "toor" (default root password on some distros). Immediate containment is required. The account may have been used for further activity.
FIREWALL — web01 (iptables / ufw)
ADD BLOCK RULE — Enter the attacking IP to block
1
ALLOW 10.10.0.0/16 → ANY (internal)
2
ALLOW 0.0.0.0/0 → port 80,443 (web traffic)
ANALYST NOTES
IR REPORT — SOC-IR-0051
INCIDENT FINDINGS
Score: 0 / 7