Brute Force Attack Detection

LogZilla documentation for Brute Force Attack Detection

Brute Force Attack Detection and Response

Brute force attack detection requires correlating multiple failed authentication attempts over time, followed by intelligent automated responses. LogZilla's architecture separates correlation logic (SEC) from response automation (triggers), enabling sophisticated threat response workflows.

Prerequisites: Ensure Event Correlation is enabled and forwarder reloading is available as shown in the Event Correlation Overview.

Basic Brute Force Detection

LogZilla Forwarder Configuration

Required App: linux__pam app (for PAM User Tracking and PAM Remote Host user tags)

yaml
# /etc/logzilla/forwarder.d/brute-force-detection.yaml
type: sec
sec_name: brute-force-monitoring
rules:
  - match:
      - field: program
        op: "eq"
        value: ["sshd", "ftpd", "httpd", "rdp"]
      - field: message
        op: "=~"
        value: "(Failed password|authentication failure|Invalid user)"
    rewrite:
      message: "AUTH_FAILED $MESSAGE"

SEC Rule: Failed Login Threshold Detection

text
# Count failed login attempts per user/IP combination
type=SingleWithThreshold
ptype=SubStr
pattern=AUTH_FAILED
desc=Brute force attack detected
action=eval %username $ENV{EVENT_USER_TAGS_PAM_USER_TRACKING}; \
       eval %src_ip $ENV{EVENT_USER_TAGS_PAM_REMOTE_HOST}; \
       eval %target_host $ENV{EVENT_HOST}; \
       shellcmd (logger -t SEC-SECURITY -p local0.alert \
       "BRUTE_FORCE_DETECTED username=\"%username\" src_ip=\"%src_ip\" target=\"%target_host\"")
thresh=5  # 5 failed attempts
window=300  # within 5 minutes

LogZilla Trigger: Brute Force Response

yaml
name: "Brute Force Attack Response"
filter:
  - field: program
    op: eq
    value: SEC-SECURITY
  - field: message
    op: "=~"
    value: "BRUTE_FORCE_DETECTED"
actions:
  exec_script: true
  script_path: "/usr/local/bin/brute-force-response.sh"
  issue_notification: true
  send_webhook: true
  send_webhook_template: |
    {
      "alert_type": "brute_force_attack",
      "username": "{{event:ut:username}}",
      "source_ip": "{{event:ut:src_ip}}",
      "target_host": "{{event:ut:target}}",
      "service": "{{event:ut:service}}",
      "attempts": "{{event:ut:attempts}}"
    }

Intelligent Response Script

bash
#!/bin/bash
# /usr/local/bin/brute-force-response.sh
# Called by SEC shellcmd - receives data via command-line arguments

USERNAME="$1"
SRC_IP="$2"
TARGET_HOST="$3"
SERVICE="$4"

# Query threat intelligence for IP reputation
IP_REPUTATION=$(curl -s "https://threat-intel.company.com/ip/$SRC_IP")

# Check if user account is service account or human
ACCOUNT_TYPE=$(curl -s "https://identity.company.com/api/account-type/$USERNAME")

# Make intelligent blocking decision
if [[ "$IP_REPUTATION" == "known_malicious" ]]; then
    # Block immediately for known bad IPs
    iptables -A INPUT -s "$SRC_IP" -j DROP
    logger -t SECURITY-RESPONSE "Blocked known malicious IP: $SRC_IP"
    
    # Create high-priority incident
    curl -X POST "https://servicedesk.company.com/api/incidents" \
         -d "priority=high&subject=Malicious IP Brute Force&details=IP: $SRC_IP, Target: $USERNAME@$TARGET_HOST"
         
elif [[ "$ACCOUNT_TYPE" == "service_account" ]]; then
    # Service account attacks are high priority
    logger -t SECURITY-RESPONSE "Service account brute force: $USERNAME from $SRC_IP"
    
    # Temporarily disable service account
    curl -X POST "https://identity.company.com/api/disable-account" -d "username=$USERNAME&reason=brute_force"
    
    # Alert operations team immediately
    curl -X POST "https://slack.company.com/api/webhooks/ops-alerts" \
         -d "text=URGENT: Service account $USERNAME under brute force attack from $SRC_IP"
         
else
    # Standard user account - rate limit and monitor
    # Implement temporary IP blocking with auto-expiry
    iptables -A INPUT -s "$SRC_IP" -j DROP
    echo "iptables -D INPUT -s $SRC_IP -j DROP" | at now + 1 hour
    
    logger -t SECURITY-RESPONSE "Temporarily blocked $SRC_IP for brute force against $USERNAME"
    
    # Create standard priority ticket
    curl -X POST "https://servicedesk.company.com/api/tickets" \
         -d "priority=medium&subject=Brute Force Attack&details=User: $USERNAME, IP: $SRC_IP"
fi

Advanced Brute Force Patterns

Distributed Brute Force Detection

Detect coordinated attacks from multiple source IPs targeting the same user.

SEC Rule: Distributed Attack Detection

text
# Track failed logins per username across multiple IPs
type=SingleWithThreshold
ptype=SubStr
pattern=AUTH_FAILED
desc=Distributed brute force attack against user
action=eval %username $ENV{EVENT_USER_TAGS_PAM_USER_TRACKING}; \
       eval %ip_count (shellcmd_output("grep 'AUTH_FAILED.*user=%username' /var/log/sec/auth-events.log | awk '{print $4}' | sort -u | wc -l")); \
       if (%ip_count >= 5) { \
           shellcmd (logger -t SEC-SECURITY -p local0.crit \
           "DISTRIBUTED_BRUTE_FORCE user=%username ip_count=%ip_count"); \
       }
thresh=20
window=600

Password Spray Detection

Detect password spray attacks (same password against multiple users).

SEC Rule: Password Spray Detection

text
# Detect multiple users being targeted from same IP
type=SingleWithThreshold
ptype=SubStr
pattern=AUTH_FAILED
desc=Password spray attack detected
action=eval %src_ip $ENV{EVENT_USER_TAGS_SRCIP}; \
       eval %user_count (shellcmd_output("grep 'AUTH_FAILED.*src_ip=%src_ip' /var/log/sec/auth-events.log | awk '{print $3}' | sort -u | wc -l")); \
       if (%user_count >= 10) { \
           shellcmd (logger -t SEC-SECURITY -p local0.alert \
           "PASSWORD_SPRAY_DETECTED src_ip=%src_ip user_count=%user_count"); \
       }
thresh=50
window=1800

Successful Login After Brute Force

Compromise Detection Pattern

Detect successful logins that occur shortly after brute force attempts, indicating potential credential compromise.

SEC Rule: Post-Brute Force Success Detection

text
# Create context for brute force attacks
type=Single
ptype=SubStr
pattern=BRUTE_FORCE_DETECTED
desc=Tracking brute force attack for compromise detection
action=eval %username $ENV{EVENT_USER_TAGS_PAM_USER_TRACKING}; \
       eval %src_ip $ENV{EVENT_USER_TAGS_PAM_REMOTE_HOST}; \
       create BRUTE_FORCE_ACTIVE_%username_%src_ip 3600; \
       write /var/log/sec/brute-force-tracking.log %username %src_ip (time())

# Detect successful login after brute force
type=Single
ptype=SubStr
pattern=AUTH_SUCCESS
context=BRUTE_FORCE_ACTIVE_$ENV{EVENT_USER_TAGS_PAM_USER_TRACKING}_$ENV{EVENT_USER_TAGS_PAM_REMOTE_HOST}
desc=Successful login after brute force attack - potential compromise
action=eval %username $ENV{EVENT_USER_TAGS_PAM_USER_TRACKING}; \
       eval %src_ip $ENV{EVENT_USER_TAGS_PAM_REMOTE_HOST}; \
       eval %target_host $ENV{EVENT_HOST}; \
       shellcmd (logger -t SEC-SECURITY -p local0.crit \
       "CREDENTIAL_COMPROMISE_SUSPECTED user=%username src_ip=%src_ip target=%target_host"); \
       delete BRUTE_FORCE_ACTIVE_%username_%src_ip

LogZilla Trigger: Compromise Response

yaml
name: "Credential Compromise Response"
filter:
  - field: program
    op: eq
    value: SEC-SECURITY
  - field: message
    op: "=~"
    value: "CREDENTIAL_COMPROMISE_SUSPECTED"
actions:
  exec_script: true
  script_path: "/usr/local/bin/credential-compromise-response.sh"
  send_email: true
  send_email_template: |
    Subject: CRITICAL: Potential Credential Compromise
    
    User: {{event:ut:username}}
    Source IP: {{event:ut:src_ip}}
    Target Host: {{event:ut:target}}
    
    Successful login detected after brute force attack.
    Immediate investigation required.

Cross-Service Brute Force Detection

Multi-Service Attack Correlation

Detect attackers attempting brute force across multiple services (SSH, RDP, HTTP).

SEC Rule: Cross-Service Correlation

text
# Track authentication attempts across services per IP
type=EventGroup3
ptype=SubStr
pattern=AUTH_FAILED
context=($ENV{EVENT_PROGRAM} eq "sshd")
thresh=5
ptype2=SubStr
pattern2=AUTH_FAILED
context2=($ENV{EVENT_PROGRAM} eq "rdp") && \
         ($ENV{EVENT_USER_TAGS_SRCIP} eq "$ENV{EVENT_USER_TAGS_SRCIP}")
thresh2=3
ptype3=SubStr
pattern3=AUTH_FAILED
context3=($ENV{EVENT_PROGRAM} eq "httpd") && \
         ($ENV{EVENT_USER_TAGS_SRCIP} eq "$ENV{EVENT_USER_TAGS_SRCIP}")
thresh3=5
desc=Multi-service brute force attack from $ENV{EVENT_USER_TAGS_SRCIP}
action=eval %src_ip $ENV{EVENT_USER_TAGS_SRCIP}; \
       shellcmd (logger -t SEC-SECURITY -p local0.alert \
       "MULTI_SERVICE_BRUTE_FORCE src_ip=%src_ip services=ssh,rdp,http")
window=900

Time-Based Attack Pattern Detection

Off-Hours Attack Detection

Detect brute force attacks occurring during unusual hours for additional context.

SEC Rule: Time-Based Correlation

text
# Enhanced brute force detection with time context
type=SingleWithThreshold
ptype=SubStr
pattern=AUTH_FAILED
desc=Brute force attack with time analysis
action=eval %username $ENV{EVENT_USER_TAGS_PAM_USER_TRACKING}; \
       eval %src_ip $ENV{EVENT_USER_TAGS_PAM_REMOTE_HOST}; \
       eval %hour (strftime("%H", time())); \
       eval %day_of_week (strftime("%u", time())); \
       eval %time_context "normal"; \
       if ((%hour < 6) || (%hour > 22) || (%day_of_week > 5)) { \
           %time_context = "suspicious"; \
       } \
       shellcmd (logger -t SEC-SECURITY -p local0.alert \
       "BRUTE_FORCE_DETECTED user=%username src_ip=%src_ip time_context=%time_context hour=%hour")
thresh=8
window=300

Related Topics

Brute Force Attack Detection | LogZilla Documentation