Beginner Pro

Investigating Unauthorized SSH Access Attempts Using ELK SIEM

Investigate unauthorized SSH access attempts on a target Linux machine using ELK SIEM

Self-Paced by Rajneesh Gupta

Overview

This project focuses on detecting and investigating unauthorized SSH access attempts on a Linux machine using the ELK (Elasticsearch, Logstash, Kibana) SIEM stack. You will configure log forwarding, analyze authentication logs, and build visualizations to identify brute-force attempts, suspicious login patterns, and potential account compromise. By simulating real attack scenarios, you will learn how attackers probe SSH services, how failed and successful logins appear in system logs, and how to use ELK for threat detection, investigation, and response.

  • Analyze SSH activity in Kibana, identifying patterns such as repeated failed logins, brute-force sequences, suspicious source IPs, and unusual login times.

  • Detect unauthorized access attempts by correlating failed and successful SSH events, highlighting possible compromise or credential guessing attacks.

  • Simulate real-world attack scenarios, including brute-force attempts and unauthorized login behavior, to understand how malicious SSH activity appears in ELK dashboards.

What You'll Learn

  • Configuring ELK for SSH Log Monitoring

    Learn how to set up Elasticsearch, Logstash, and Kibana to ingest and parse Linux authentication logs for real-time visibility.

  • Analyzing SSH Authentication Activity in Kibana

    Understand how to detect repeated failed logins, brute-force sequences, suspicious source IPs, and abnormal login times using dashboards and visualizations.

  • Correlating Failed and Successful SSH Events

    Discover how to identify unauthorized access attempts by linking failed login bursts with subsequent successful logins—indicating potential credential compromise.

  • Simulating Real-World SSH Attack Scenarios

    Gain hands-on experience generating brute-force attempts, probing behavior, and unauthorized logins to observe how attackers interact with SSH services.

Prerequisites

  • ELK stack installed or accessible (Elasticsearch, Logstash, Kibana)
  • Basic understanding of Linux authentication logs (/var/log/auth.log)
  • Ability to configure Logstash pipelines or Filebeat for log forwarding
  • Familiarity with Kibana dashboards, search, and filtering

About Trainer

Rajneesh Gupta

Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity". As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.

LinkedIn YouTube GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.