Detecting a brute-force attack

Brute forcing SSH (on Linux) or RDP (on Windows) are common attack vectors. Wazuh provides out-of-the-box rules capable of identifying brute-force attacks by correlating multiple authentication failure events.

To see an example use case where you configure an active response to block the IP of an attacker, check the Blocking attacks with Active Response section of the documentation.

Configuration

Configure your environment as follows to test the PoC.

  • Make sure you have SSH installed and enabled in a system chosen to play as an attacker.

  • Install Hydra on an external Linux system to execute brute-force attacks.

    # yum install -y hydra
    
    # apt install -y hydra
    

Steps to generate the alerts

  1. Replace <ubuntu.agent.endpoint> for Linux and <win.agent.endpoint> for Windows with the appropriate destination in the following commands and run multiple failed authentication failure attempts against the monitored endpoints.

    • For the monitored Linux endpoint:

      # hydra -l badguy -p wrong_password <ubuntu.agent.endpoint> ssh
      
    • For the monitored Windows endpoint:

      # hydra -l Administrator -p wrong_password <win.agent.endpoint> rdp
      

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • Linux: rule.id:(5710 OR 5712). Other related rules are 5711, 5716, 5720, 5503, 5504.

  • Windows: rule.id:(60122 OR 60137 OR 60204)