Monitoring and Generating Alerts for an SSH Bruteforce Attack Using Splunk

MasozeraVictor
4 min readApr 12, 2022

Splunk is a Security information and event management(SIEM) software that enables security teams to index structured or unstructured textual machine-generated data and enables you to perform a real-time and historical search, as well as reports and statistical analysis.

Here are some of the features of Splunk Enterprise:

It can index any type of data; however, it works best with data that contain timestamps.

It provides powerful search, analysis and visualization capabilities to empower users of all types.

It creates a central repository for searching data from many different sources.

It offers hundreds of apps and add-ons that can enhance and extend the Splunk platform.

It helps you gain valuable Operational Intelligence from your machine-generated data.

A universal forwarder is a dedicated, lightweight version of Splunk that contains only the essential components needed to send data. Forwarders are configured to consume data from the monitored machine and forward it to Splunk indexers for processing.

A brute force attack includes ‘speculating’ usernames and passwords to gain unapproved access to a system. A dictionary attack is one of the forms of a brute-force attack that can be performed with a tool called hydra.

In the setup, an attacker machine(ubuntu host os) brute forces an SSH login attempt to the victim machine(Kali Linux VM) and a slack alert is triggered from Splunk.

Prerequisites:

  1. Install Splunk instance on a machine or attacker machine.
  2. Download Splunk-forwarder to the victim machine.
  3. SSH service is set up on the victim machine.

Configure Splunk Forwarder to send logs to the Splunk Instance

Unzip the Splunk forwarder on the victim machine after downloading it. Configure the Splunk forwarder to monitor all the system logs.

Within the splunk forwarder /opt/splunkforwarder/bin directory, do the following;

./splunk add forward-server 192.168.43.242:9997 -auth splunk:splunk123 (login username and password while downloading splunk ES)
./splunk add monitor /var/log/ -sourcetype linux_logs -index remotelogs
./splunk restart

Note: The forwarder-server IP address is the address of the attacker machine on which the Splunk instance is installed.

Integrate slack within splunk instance.

Download the SLACK app from Splunk base to integrate with Splunk on the attacker machine.
Start the Splunk service with the command sudo ./splunk start when within the /opt/splunk/bin directory.

In the Splunk instance machine, navigate to localhost within the browser.

localhost:8000

Log in using the username and password used while downloading Splunk Enterprise.

Navigate to,
App; Search & Reporting -> Manage Apps

Navigate to,
Install the app from file -> Browse (upload the slack tar file downloaded from Splunk base)

Retrieve the webhook link for the slack channel. And input the URL in the webhook field.

Configure Splunk to generate an Alert.

Note: We include “sshd” in the search query because it is the daemon program that listens for incoming connections using the SSH protocol and acts as the server for the protocol. Its logs will be found in /var/log/auth.log.

Real-time alert:
The search index will be queried in real-time. setting the alert threshold to generate an alert if the number of results is greater than 10 in a minute.

Select slack from the add action drop-down menu.
Input the name of your channel — #bruteforce-alert

Input the fields that need to be displayed in the alert.(rhost, index,source*).

Attacking the kali VM

From the attacker machine(192.168.43.242). Using Hydra tool to bruteforce,
Try logging into the victim machine via SSH using Hydra.
-l #input the name of the username.
-P #input a password wordlist file. (/usr/share/dirb/wordlists/common.txt)

hydra -l root -P /usr/share/dirb/wordlists/common.txt ssh://192.168.43.101

Slack Alert

The slack alert will be generated once the alert conditions are met.
All the field information will be displayed in the slack alert. These values will be stored in /var/log/auth.log within Splunk's remotelogs index.

Notification will be sent to the Slack mobile application or the website.

Thank you for reading!

--

--