Add authentication log audit tool

2026-05-11 17:04:48 +00:00
parent 452ff4fac1
commit 2da5e8b46c
5 changed files with 1064 additions and 0 deletions
@@ -0,0 +1,112 @@
+# Auth Log Audit
+
+- Overall status: WARNING
+- First seen: May 11 09:58:12
+- Last seen: May 11 10:07:48
+
+## Top Source IPs by Failed Attempts
+
+| Value | Count |
+| --- | ---: |
+| 203.0.113.50 | 7 |
+| 198.51.100.23 | 1 |
+
+## Top Usernames by Failed Attempts
+
+| Value | Count |
+| --- | ---: |
+| appuser | 3 |
+| root | 2 |
+| admin | 1 |
+| backup | 1 |
+
+## Top Source IPs by Successful Logins
+
+| Value | Count |
+| --- | ---: |
+| 10.20.30.15 | 1 |
+
+## Top Usernames by Successful Logins
+
+| Value | Count |
+| --- | ---: |
+| deploy | 1 |
+
+## Suspicious Source IPs
+
+| Value | Count |
+| --- | ---: |
+| 203.0.113.50 | 7 |
+
+## Suspicious Usernames
+
+No entries detected.
+
+## Top Event Types
+
+| Value | Count |
+| --- | ---: |
+| failed_ssh_password | 4 |
+| root_login_attempt | 2 |
+| successful_ssh_login | 1 |
+| sudo_command | 1 |
+| invalid_user_attempt | 1 |
+| disconnect_after_failed_auth | 1 |
+| failed_ssh_publickey | 1 |
+| sudo_auth_failure | 1 |
+| su_session_opened | 1 |
+| refused_user_attempt | 1 |
+
+## Sample Log Lines
+
+### failed_login
+
+```text
+May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
+May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+```
+
+### invalid_user
+
+```text
+May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
+```
+
+### root_login_attempt
+
+```text
+May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+```
+
+### sudo_failure
+
+```text
+May 11 10:04:20 web01 sudo: pam_unix(sudo:auth): authentication failure; logname=deploy uid=1001 euid=0 tty=/dev/pts/0 ruser=deploy rhost= user=deploy
+```
+
+### suspicious_source_ip
+
+```text
+May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
+May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
+May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+```
+
+## Operational Summary
+
+- Overall status: WARNING
+- Total lines scanned: 15
+- Authentication events detected: 15
+- Failed logins: 8
+- Successful logins: 1
+- Invalid user attempts: 1
+- Root login attempts: 2
+- Sudo usage events: 1
+- Sudo authentication failures: 1
+- su events: 1
+- Suspicious source IPs: 1
+- Suspicious usernames: 0
+- Threshold used: 5
+- Ignored users: None
@@ -0,0 +1,15 @@
+May 11 09:58:12 web01 sshd[1201]: Accepted publickey for deploy from 10.20.30.15 port 52214 ssh2: ED25519 SHA256:samplekey
+May 11 10:00:01 web01 sudo:   deploy : TTY=pts/0 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/systemctl status nginx
+May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
+May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
+May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
+May 11 10:02:11 web01 sshd[1224]: Disconnected from authenticating user root 203.0.113.50 port 45012 [preauth]
+May 11 10:03:10 web01 sshd[1231]: Failed password for appuser from 203.0.113.50 port 45101 ssh2
+May 11 10:03:14 web01 sshd[1231]: Failed password for appuser from 203.0.113.50 port 45101 ssh2
+May 11 10:03:18 web01 sshd[1231]: Failed password for appuser from 203.0.113.50 port 45101 ssh2
+May 11 10:03:41 web01 sshd[1238]: Failed publickey for backup from 198.51.100.23 port 50222 ssh2
+May 11 10:04:20 web01 sudo: pam_unix(sudo:auth): authentication failure; logname=deploy uid=1001 euid=0 tty=/dev/pts/0 ruser=deploy rhost= user=deploy
+May 11 10:05:02 web01 su[1244]: pam_unix(su:session): session opened for user root by deploy(uid=1001)
+May 11 10:06:31 web01 sshd[1250]: User testuser from 192.0.2.77 not allowed because not listed in AllowUsers
+May 11 10:07:48 web01 sshd[1254]: error: maximum authentication attempts exceeded for invalid user oracle from 203.0.113.50 port 45200 ssh2 [preauth]
@@ -0,0 +1,14 @@
+May 11 09:52:44 db01 sshd[2110]: Accepted publickey for admin from 10.40.10.25 port 60124 ssh2: RSA SHA256:samplekey
+May 11 09:55:10 db01 sudo[2120]:   admin : TTY=pts/1 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/systemctl restart auditd
+May 11 09:55:10 db01 sudo[2120]: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1000)
+May 11 10:00:01 db01 sshd[2130]: Failed password for invalid user postgres from 198.51.100.90 port 42101 ssh2
+May 11 10:00:03 db01 sshd[2130]: Invalid user postgres from 198.51.100.90 port 42101
+May 11 10:00:09 db01 sshd[2132]: Failed password for root from 198.51.100.90 port 42105 ssh2
+May 11 10:00:13 db01 sshd[2132]: Failed password for root from 198.51.100.90 port 42105 ssh2
+May 11 10:00:20 db01 sshd[2135]: Failed password for oracle from 198.51.100.90 port 42111 ssh2
+May 11 10:00:25 db01 sshd[2135]: Failed password for oracle from 198.51.100.90 port 42111 ssh2
+May 11 10:00:31 db01 sshd[2135]: Failed password for oracle from 198.51.100.90 port 42111 ssh2
+May 11 10:01:12 db01 su[2142]: pam_unix(su:auth): authentication failure; logname=admin uid=1000 euid=0 tty=pts/1 ruser=admin rhost= user=root
+May 11 10:01:45 db01 sshd[2149]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.77  user=monitoring
+May 11 10:02:03 db01 sshd[2154]: error: PAM: User not known to the underlying authentication module for illegal user deploy from 203.0.113.77
+May 11 10:02:36 db01 sshd[2159]: Disconnecting authenticating user oracle 198.51.100.90 port 42111: Too many authentication failures [preauth]