Python-Log-Parser/log_parser.py at main · alexojocyber/Python-Log-Parser · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env python3
"""
SSH Brute Force Log Parser
Author: Alex Ojo
Description: Automatically parses Linux auth logs to detect brute force attacks
"""

from collections import defaultdict
from datetime import datetime

# Configuration
LOG_FILE = "/var/log/auth.log"
THRESHOLD = 3  # Number of failed attempts to flag as brute force

def parse_log(log_file):
    failed_attempts = defaultdict(list)

    try:
        with open(log_file, 'r') as f:
            for line in f:
                if "Failed password" in line:
                    parts = line.split()
                    try:
                        # Extract timestamp
                        timestamp = " ".join(parts[0:3])
                        # Extract username
                        user_index = parts.index("for") + 1
                        username = parts[user_index]
                        # Extract IP address
                        ip_index = parts.index("from") + 1
                        ip_address = parts[ip_index]

                        failed_attempts[ip_address].append({
                            "timestamp": timestamp,
                            "username": username,
                            "ip": ip_address
                        })
                    except (ValueError, IndexError):
                        continue
    except PermissionError:
        print("Permission denied. Run with sudo.")
        return {}
    except FileNotFoundError:
        print(f"Log file not found: {log_file}")
        return {}

    return failed_attempts

def generate_report(failed_attempts):
    print("=" * 60)
    print("       SSH BRUTE FORCE DETECTION REPORT")
    print(f"       Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
    print("=" * 60)

    if not failed_attempts:
        print("\n✅ No failed login attempts detected.")
        return

    total_attempts = sum(len(v) for v in failed_attempts.values())
    print(f"\n📊 SUMMARY")
    print(f"   Total Failed Attempts : {total_attempts}")
    print(f"   Unique Source IPs     : {len(failed_attempts)}")

    print(f"\n🚨 BRUTE FORCE ALERTS (threshold: {THRESHOLD}+ attempts)")
    print("-" * 60)

    flagged = False
    for ip, attempts in failed_attempts.items():
        if len(attempts) >= THRESHOLD:
            flagged = True
            print(f"\n⚠️  IP Address  : {ip}")
            print(f"   Total Attempts : {len(attempts)}")
            print(f"   Targeted Users : {set(a['username'] for a in attempts)}")
            print(f"   First Attempt  : {attempts[0]['timestamp']}")
            print(f"   Last Attempt   : {attempts[-1]['timestamp']}")

    if not flagged:
        print("   No IPs exceeded the threshold.")

    print("\n" + "=" * 60)
    print("🎯 MITRE ATT&CK: T1110 - Brute Force")
    print("🔒 NIST Control : AC-7 - Unsuccessful Login Attempts")
    print("=" * 60)

def main():
    print("\n🔍 Parsing authentication logs...")
    failed_attempts = parse_log(LOG_FILE)
    generate_report(failed_attempts)

if __name__ == "__main__":
    main()