- Executive Summary
- Lab Objectives
- Environment Overview
- Operational Workflow
- Threat Simulation
- Log Acquisition & Analysis
- Detection Engineering Insights
- Evidence
- Conclusions
- Next Steps
This lab demonstrates SOC analyst fundamentals by generating and analyzing SSH authentication activity on a Linux system.
Both successful and failed SSH login attempts were intentionally produced to simulate attacker behavior.
These events create logs that are essential for brute-force detection, threat hunting, and SIEM correlation.
All evidence is documented and stored in the evidence/ directory.
- Validate Ubuntu network connectivity
- Trigger SSH authentication events from a Kali host
- Analyze SSH logs using
journalctl - Identify failed login and brute-force indicators
- Document evidence using SOC-style structure
- Push all work to GitHub using a fine-grained PAT
Target Host: Ubuntu Linux
Attacker Host: Kali Linux
Hypervisor: VMware Workstation
Tools Used:
- SSH client
journalctl- ICMP (
ping) - Git + GitHub
- Fine-grained Personal Access Token (PAT)
Ensured the Ubuntu VM had network access using ICMP:
ping -c 4 8.8.8.8Triggered authentication attempts from the Kali attacker VM:
- Valid user login
- Invalid password attempts
- Invalid user attempts
This produces realistic authentication artifacts needed for SOC analysis.
Collected relevant logs using:
sudo journalctl -u ssh --no-pager | tail -20Simulated adversary-style activity by attempting:
- Incorrect passwords
- Logins using invalid users
- Repeated authentication attempts
This produces high-value log signals and supports brute-force detection logic.
Connectivity Test:
ping -c 4 8.8.8.8SSH Log Review:
sudo journalctl -u ssh --no-pager | tail -20Feb 20 10:55:09 ubuntu sshd[1432]: Failed password for invalid user testuser from 192.168.58.130 port 42318 ssh2
Feb 20 10:55:11 ubuntu sshd[1432]: PAM authentication failure; rhost=192.168.58.130
Feb 20 10:56:02 ubuntu sshd[1500]: Accepted password for eric from 192.168.58.130 port 42355 ssh2
- Failed login attempts clearly logged (
Failed password) - Invalid user enumeration visible
- Accepted authentication logged with session details
- Source IP recorded for all attempts
- Clear timestamps allow timeline reconstruction
These logs are essential for detecting brute-force activity or unauthorized access attempts.
SSH authentication logs support multiple SOC and SIEM use cases:
- Repeated failed SSH logins from the same source
- Multiple username attempts from one IP
- Failed → successful login sequences
- Authentication attempts from abnormal IP ranges
- Password guessing behavior over a short timeframe
These logs can support:
- Detection rule development
- Threat hunting queries
- Incident triage
- Behavioral anomaly detection
This lab builds foundational detection capabilities.
All screenshots are stored in the evidence/ directory:
These files document each major stage of the lab and validate all findings.
- SSH authentication logs provide reliable visibility into unauthorized access attempts.
- Failed login attempts are strong signals of brute-force or credential misuse.
- This lab successfully captured, analyzed, and documented SSH authentication events.
- The repository now reflects a professional SOC-style documentation structure suitable for job applications and portfolio use.
To continue developing detection and investigation skills:
- SOC Lab 05 — Linux Log Analysis & Security Monitoring
- Investigate system logs for suspicious activity
- Identify privilege escalation attempts and abnormal user behavior
- Develop detection techniques based on authentication and system logs
This builds the foundation for real SOC workflows involving host-based monitoring and incident investigation.