Detect failed-login bursts in auth.log

Overview

Parse auth.log line by line, count Failed password ... from <ip> per IP, return the count of IPs above a threshold.

Why it matters

This is the canonical SOC routine: triage attack noise vs. legitimate traffic. Every brute-force detection tool in the world starts from this five-line function.

Lesson

Why this matters

The /var/log/auth.log file is the first place a defender looks after a suspicious event. A brute-force attempt against SSH leaves a very recognisable trail: many Failed password for ... lines from the same source IP, within a short window.

This exercise teaches the detection side: read the log buffer, parse each line, count failures per IP, and report which IPs crossed a threshold.

What the file looks like

Jan 23 12:01:02 host sshd[1234]: Failed password for invalid user root from 192.0.2.7 port 5413
Jan 23 12:01:04 host sshd[1235]: Failed password for invalid user admin from 192.0.2.7 port 5414
Jan 23 12:01:08 host sshd[1240]: Accepted publickey for gilos from 10.0.0.5 port 22001

The bytes you process are static, bundled in the harness. The function never opens a real log file.

Your job

Implement a function that walks the buffer, counts Failed password for ... from <ip> lines per IP, and returns the number of distinct IPs that appear at least threshold times.

Common mistakes

• Counting Accepted publickey as a failure. The string is Failed password.
• Forgetting that the IP token is bounded by port after it.
• Re-adding the same IP every time it appears. Group first, count second.

Summary

Token-walk the log, group by IP, threshold the counts. Pure string parsing on a static buffer.

Practice with these exercises

• Detect brute-force IPs in auth.log
• Count suspicious IPs in a sample log