Exercise 2, Chapter 07 - Monitoring Kali Services
- Install logcheck on your Kali instance
- Try brute forcing your own SSH service, and see if log check picks up on this, and reports the attack.
- Create a cron’ed instance of logcheck, so that it runs once an hour, and creates a log file in /data/$(date-time).log
Asciinema version (allows copying text from video):
1. Install logcheck and run it for the first time:
apt-get install logcheck sudo -u logcheck logcheck -o
2. Download password list, brute force your SSH service with hydra, check that logcheck reports it:
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/500-worst-passwords.txt hydra -l root -P 500-worst-passwords.txt 127.0.0.1 ssh tail -f /var/log/auth.log sudo -u logcheck logcheck -o
3. Next, write a bash script similar to the following:
mkdir -p /data/ sudo -u logcheck logcheck -o > /data/$(date +"%m-%d-%Y-%T").log
Make it executable and drop it in /etc/cron.hourly.