Safe Penetration Testing Labs · intermediate · ~12 min
Aggregate per-IP failure counts from a sample auth log.
Brute-force attempts look like many failures from one source in a short window. A defensive detector reads /var/log/auth.log-style fixtures, counts failures per IP, and flags IPs above a threshold.
This is the building block of tools like fail2ban. Exercises parse a static sample file — never live logs from systems you don't own.