Question

I am using the ELK (Elasticsearch, Logstash, Kibana) stack for log management and need to track failed login attempts effectively. My main concerns are:

• Configuring Logstash to parse login failure logs from various sources (Apache, SSH, etc.).
• Setting up Kibana visualizations and alerts for suspicious authentication failures.
• Filtering out false positives and correlating events to detect brute-force attacks.
  Any practical guides, configurations, or sample queries to achieve this would be appreciated.

Answer 1

Monitoring failed login attempts is crucial for identifying potential security threats, such as brute-force attacks, on your systems. The ELK Stack, comprising Elasticsearch, Logstash, and Kibana, provides a robust platform for aggregating, analyzing, and visualizing log data from various sources. Here's a structured approach to effectively track failed login attempts using the ELK Stack:

1. Configuring Logstash to Parse Login Failure Logs

Logstash serves as the data processing component, ingesting logs from multiple sources, parsing them, and forwarding the structured data to Elasticsearch.

• Input Configuration: Define inputs for various log sources, such as Apache and SSH.

  Example logstash.conf Input Section:

  input {
    file {
      path => "/var/log/auth.log"  # Path to SSH authentication logs
      type => "ssh_auth"
      start_position => "beginning"
    }
    file {
      path => "/var/log/apache2/access.log"  # Path to Apache access logs
      type => "apache_access"
      start_position => "beginning"
    }
  } 

• Filter Configuration: Apply filters to parse and structure the log data.

  Example Filter Section:

   filter {
    if [type] == "ssh_auth" {
      grok {
        match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} sshd\[%{NUMBER:pid}\]: Failed password for %{USERNAME:user} from %{IP:source_ip} port %{NUMBER:port} %{GREEDYDATA:message}" }
      }
      date {
        match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        timezone => "UTC"
      }
    }
    else if [type] == "apache_access" {
      grok {
        match => { "message" => "%{COMBINEDAPACHELOG}" }
      }
      date {
        match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
        timezone => "UTC"
      }
    }
  }
  

These filters use Grok patterns to extract relevant fields from the logs. Ensure that the patterns match the log formats specific to your environment.

• Output Configuration: Specify Elasticsearch as the output destination.

  Example Output Section:

  output {
    elasticsearch {
      hosts => ["localhost:9200"]
      index => "logstash-%{type}-%{+YYYY.MM.dd}"
    }
  }
  

This configuration directs Logstash to send parsed data to Elasticsearch, organizing indices by log type and date.

2. Setting Up Kibana Visualizations and Alerts

Kibana offers powerful visualization and alerting capabilities to monitor failed login attempts.

• Creating Visualizations:

  1. Access Kibana and navigate to the "Visualize" tab.
  2. Create a new visualization (e.g., a bar chart) that displays failed login attempts over time.
  3. Configure the visualization to aggregate data based on fields like source_ip, user, and timestamp.

  This setup helps identify patterns, such as multiple failed attempts from a single IP address, indicating a potential brute-force attack.

• Setting Up Alerts:

  1. Navigate to the "Alerts and Actions" section in Kibana.
  2. Define a new alert that triggers when the number of failed login attempts exceeds a predefined threshold within a specific time frame.
  3. Configure the alert to send notifications via email, Slack, or other channels.

  Implementing alerts ensures prompt response to suspicious activities, enhancing your security posture.

3. Filtering Out False Positives and Correlating Events

To minimize false positives and accurately detect brute-force attacks:

• Implement Thresholds: Set realistic thresholds for failed login attempts. For instance, multiple failures from a single IP within a short period may warrant attention.

• Correlate with Successful Logins: Analyze sequences where multiple failures are followed by a successful login, as this may indicate a compromised account.

• Geolocation Analysis: Identify login attempts from unusual geographic locations, which could signify unauthorized access attempts.

By correlating various data points, you can distinguish between benign user behavior and malicious activities.

Practical Example: Detecting SSH Brute-Force Attacks

Consider a scenario where you want to detect SSH brute-force attacks:

1. Logstash Configuration: Use the previously mentioned input and filter configurations to process SSH authentication logs.

2. Kibana Visualization: Create a line chart in Kibana showing the number of failed SSH login attempts over time, segmented by source_ip.

3. Alerting: Set up an alert that triggers when failed SSH login attempts from a single IP exceed five attempts within ten minutes.

This approach enables real-time detection and response to potential brute-force attacks.

By implementing these configurations and continuously monitoring your logs, the ELK Stack becomes a powerful tool in safeguarding your systems against unauthorized access attempts.