Monitoring and Auditing Failed Login Attempts and Intrusion Detection on CentOS Servers


38 views

On CentOS systems, several key log files track authentication attempts:

/var/log/secure - Primary authentication log (RHEL/CentOS)
/var/log/auth.log - Alternative location on some systems
/var/log/btmp - Records failed login attempts (binary)
/var/log/wtmp - Records all logins (binary)
/var/log/lastlog - Shows last login times for all users

To display recent failed login attempts from the secure log:

sudo grep "Failed password" /var/log/secure | tail -20

For a more detailed view including IP addresses:

sudo grep "Failed password" /var/log/secure | awk '{print $1,$2,$3,$9,$11}' | sort | uniq -c | sort -nr

The binary log files require special tools:

# View failed login attempts from btmp
sudo lastb -a | head -20

# View successful logins from wtmp
sudo last -a | head -20

For enterprise monitoring, consider these tools:

  • Fail2ban - Automated response to brute force attacks
  • OSSEC - Host-based intrusion detection system
  • auditd - Linux audit framework for tracking system events

Basic Fail2ban setup for SSH protection:

# Install Fail2ban
sudo yum install epel-release
sudo yum install fail2ban

# Enable and start the service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Configure SSH jail
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Example jail.local configuration:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 3600
findtime = 600

For Apache HTTPD monitoring:

# Check for common attack patterns
sudo grep -E "(phpmyadmin|wp-login|xmlrpc|\.env)" /var/log/httpd/access_log

# Top 10 attacking IPs
sudo awk '{print $1}' /var/log/httpd/access_log | sort | uniq -c | sort -nr | head -10

Configure rsyslog for centralized logging:

# Install rsyslog
sudo yum install rsyslog

# Configure remote logging
sudo nano /etc/rsyslog.conf

Add these lines to forward logs:

*.* @192.168.1.100:514
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

CentOS maintains several critical log files that record authentication attempts:

/var/log/secure - Primary authentication log (includes SSH, sudo, local logins)
/var/log/auth.log - Alternative authentication log (on some distributions)
/var/log/btmp - Records failed login attempts (binary format)
/var/log/wtmp - Records all logins/logouts (binary format)
/var/log/lastlog - Last login times for all users

To check recent failed SSH/login attempts, use these commands:

# View raw secure log entries
sudo grep "Failed password" /var/log/secure

# Get a count of failed attempts per user
sudo grep "Failed password" /var/log/secure | awk '{print $9}' | sort | uniq -c | sort -nr

# View failed login attempts from btmp
sudo lastb -a

# View all successful logins
sudo last -a

For comprehensive monitoring of penetration attempts across services:

1. Install and Configure Fail2Ban

sudo yum install epel-release
sudo yum install fail2ban
sudo systemctl enable --now fail2ban

# Basic configuration (/etc/fail2ban/jail.local)
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 600
maxretry = 5

[sshd]
enabled = true

2. Implement Centralized Logging with rsyslog

# Configure /etc/rsyslog.conf to log auth messages to separate file
auth.* /var/log/auth.log

# Restart rsyslog
sudo systemctl restart rsyslog

3. Monitor HTTPD Access Patterns

# Check for suspicious HTTP requests
sudo grep -E '404|500|403' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -nr

# Real-time monitoring
sudo tail -f /var/log/httpd/access_log | grep -E 'wp-login|admin|\.php'
sudo yum install logwatch
# Configure /usr/share/logwatch/default.conf/logwatch.conf
MailTo = admin@yourdomain.com
Detail = High
Service = All

For enterprise environments, consider forwarding logs to:

  • ELK Stack (Elasticsearch, Logstash, Kibana)
  • Splunk
  • Graylog
  • OSSEC
#!/bin/bash
# Security audit script for CentOS

echo "===== FAILED LOGIN ATTEMPTS ====="
sudo lastb -a | head -20

echo -e "\n===== RECENT SUCCESSFUL LOGINS ====="
sudo last -a | head -10

echo -e "\n===== SUSPICIOUS HTTP REQUESTS ====="
sudo tail -1000 /var/log/httpd/access_log | grep -E 'wp-login|admin|\.php' | awk '{print $1,$7}' | sort | uniq -c | sort -nr | head -20

echo -e "\n===== CURRENT BANNED IPS (Fail2Ban) ====="
sudo fail2ban-client status sshd | grep "Banned IP list"