Log Analysis: Analysis on Auth.log
This entry may assist Incident Handlers to analyse the brute-force attacks that may leverage on SSH protocol. Overview of auth.log —————————- fikri~$ cat auth.log | head Mar 16 08:12:04 app-1 login[4659]: pam_unix(login:session): session opened for user user3 by LOGIN(uid=0) Mar 16 08:12:09 app-1 sudo: user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0) Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session closed for user root Mar 16 08:12:09 app-1 su[4679]: Successful su for root by root Mar 16 08:12:09 app-1 su[4679]: + tty1 root:root Mar 16 08:12:09 app-1 su[4679]: pam_unix(su:session): session opened for user root by user3(uid=0) Mar 16 08:12:13 app-1 groupadd[4691]: new group: name=user4, GID=1001 Mar 16 08:12:13 app-1 useradd[4692]: new user: name=user4, UID=1001, GID=1001, home=/home/user4, shell=/bin/bash ...