Lab 2: Log File Analysis for Intrusion Detection

Objective: Simulate an SSH brute-force and network reconnaissance attack from Kali Linux to Ubuntu Server. Analyze log files to detect unauthorized access attempts and scanning behavior. Aligns with ISO 27001 controls on log monitoring and incident response.

Phase 1 – Prepare the Lab Environment

Step 1.1 – Start Both VMs

On your Windows 11 host machine:

  • Open VirtualBox
  • Start your Kali Linux VM (attacker)
  • Start your Ubuntu Server VM (target)

Step 1.1 Screenshot

Step 1.2 – Verify Network Communication

On Ubuntu:

ip a
  • ip is a command-line utility for network configuration.
  • a is short for address, showing IP info for all interfaces.
  • Look for your IP address under enp0s3 or similar.

On Kali:

ping <Ubuntu_VM_IP>
  • ping checks if the Ubuntu VM is reachable.
  • Replace <Ubuntu_VM_IP> with the actual IP shown from ip a.

Step 1.2 Screenshot

Phase 2 – Configure Logging and Monitoring on Ubuntu

Step 2.1 – Install Logwatch & Mail Tools

sudo apt update
sudo apt install logwatch mailutils -y
  • sudo: Runs command with admin/root privileges
  • apt update: Refreshes Ubuntu's software package list
  • apt install: Installs specified software packages
  • -y: Automatically says yes to prompts

Step 2.1 Screenshot

🔹 Step 2.2 – Postfix Setup

During installation, if prompted:

  • Select: Local only (keeps mail internal)
  • System mail name: ubuntu.lab.local

Step 2.2 Screenshot

Phase 3 – Simulate an Attack from Kali

Step 3.1 – Nmap Scan (Reconnaissance)

From Kali:

nmap -sS -T4 -Pn <Ubuntu_VM_IP>

Explanation:

  • nmap: A powerful network scanning tool
  • -sS: TCP SYN scan (stealthy)
  • -T4: Speeds up the scan
  • -Pn: Disables host discovery (treats host as up even if ping is blocked)

Step 3.1 Screenshot

Step 3.2 – Brute Force SSH with Hydra

Create a wordlist:

nano mywordlist.txt

Add passwords (one per line) and save. Then run:

hydra -l vboxuser -P mywordlist.txt -t 4 ssh://<Ubuntu_VM_IP>

Explanation:

  • -l vboxuser: Target username
  • -P: Path to your wordlist
  • -t 4: 4 parallel threads
  • ssh://: Specifies SSH as the target service

Step 3.2 Screenshot

Phase 4 – Analyze Ubuntu Logs

Step 4.1 – View SSH Login Attempts

sudo grep --text 'Failed password' /var/log/auth.log
sudo grep --text 'Accepted password' /var/log/auth.log

Step 4.1 Screenshot

Step 4.2 – Look for Recon Activity in Syslog

sudo cat /var/log/syslog | grep --text -i 'scan'
sudo cat /var/log/syslog | grep --text -i 'nmap'

🔹 Step 4.3 – Generate Logwatch Report

sudo logwatch --detail --output mail --mailto root high --range today --service all --format text

Step 4.3 Screenshot

Step 4.4 – View Logwatch Report via Email

sudo apt install bsd-mailx -y
mail

Step 4.4 Screenshot

Lab Complete!!

We have successfully simulated attacks and validated detection via log analysis.

ISO/IEC 27001:

The ISO 27001 standard focuses on establishing and managing an Information Security Management System (ISMS). This lab demonstrates how to implement technical controls related to logging and monitoring.

Relevant controls from ISO 27001 Annex A:

A.5.17 Logging

A.5.18 Use of logging facilities

A.5.20 Administrator and operator logs

A.8.23 Segregation of duties (if running separate attacker/defender machines)

A.8.1 User authentication (via SSH brute force simulation)

Demonstrating real-world implementation of the log review process required in security audits and risk assessments.