Post

Day-12 Ubuntu-24.04 Server Installation

Posted
By Cyberpengunine__
2 min read

Ubuntu-server

This is the time for creating our next server which is ubuntu server. According to logical diagram we will create a ubuntu server with ssh enabled as our target server and this is not inlcuded in our VPC just like windows server as per our last modification in logical diagram for our project infrastructure.

  1. Let’s start with deploying the new server from vultr compute service.

    new-server.png

  2. Choose the instance as shared CPU.

    shared-cpu-instance.png

  3. Select the location same as all other servers you created.

    location-mumbai.png

  4. For image we are selecting Ubuntu 24.04 operating system.

    ubuntu-image.png

  5. Now, we will select the Regular Cloud Compute plan with 1vCPU and 1GB memory.

    plan.png

  6. There is no need for any additional features so, let’s deselect all the selected features.

    no-additional-features.png

  7. Now, name your server and deploy the instance.

    servername-deploy-now.png

    mydfir-linux-Cyberpenguine.png

  8. We will wait for few minutes for instance to run and then we will use SSH to access the server.

    ssh-into-instance.png

  9. First think to do after accessing the server is to update and upgrade the server using command:

    #apt-get update && apt-get upgrade -y

    update-instance.png

  10. As a SOC analyst we are interested in logs specifically authentication logs to find out who is trying to log into our server.

    var-log.png

  11. Lets look at the authentication logs using cat command.

    #cat auth.log

    cat-authlog.png

  12. We can use grep command to look for specific keywords like failed, to display only the failed authentications from all the logs. “ -i ” is used for case-insensitive. It will search keyword regardless of the case of letters or word.

    #cat auth.log | grep -i failed

    failed-auth.png

  13. As a root user we are more insterested in looking for the login attempts with root username. so, lets look for only root related failed attempts.

    #cat auth.log | grep -i failed | grep -i root

    root-auth-failed.png

  14. We can also filter for specific column using cut command.

    #cat auth.log | grep -i root | grep -i failed | cut -d ‘ ’ -f 9

    -d is used to specify delimiter. here, the space is delimiter. it will seperate the columns as per the spaces.

    -f is used to specify the field and we want 9th column as per command above. So, it will seperate the columns by space and then display the 9th column.

    cut-1.png

    cut-9.png

These logs demonstrate a classic example of a brute force attack, a topic we covered in detail during Day 11’s blog post.

While manually examining logs can be tedious, we’ll explore tools like ELK in future posts to make this process more efficient.🤓

Explore further :

📑Understanding Linux log

🔖Options available for cut

🔖Options available for grep

MYDFIR 30Day SOC_Challenge
soc_challenge soc cybersecurity day12of30
This post is licensed under CC BY 4.0 by the author.