murattkarateke/soc-incident-detection-response-lab

# 🛡️ Linux SOC 防御实验室 ## 🇹🇷 项目描述 本项目是一个实用的 SOC（安全运营中心）实验室，包含对 Linux 系统上发起的网络攻击的检测、分析以及防御机制的部署。 目标是在接近真实环境的场景中： - 观察攻击 - 进行日志分析 - 开发防御机制 - 增强系统安全性 ## 🇬🇧 Project Description This project is a hands-on Security Operations Center (SOC) lab focused on detecting, analyzing, and defending against cyber attacks on Linux systems. The goal is to simulate real-world scenarios to: - Observe attacks - Perform log analysis - Implement defensive mechanisms - Improve system security posture ## 🎯 实验场景 | Lab Scenarios ### 🔐 1. SSH 暴力破解攻击 - 针对 SSH 服务的暴力破解攻击模拟 - 检查失败的登录尝试 📸 SSH 攻击 ### 📊 2. 日志分析 - 分析 /var/log/auth.log - 检测可疑 IP 和活动 📸 日志分析 ### 🛡️ 3. Fail2Ban 防御 - Fail2Ban 的安装与配置 - 自动 IP 封禁机制 📸 Fail2Ban ### 🌐 4. Nginx 状态监控 - Web 服务器状态检查 - 服务健康分析 📸 Nginx ### 🌍 5. Web 访问日志 - 分析 Web 访问日志 - 检查流量和请求 📸 Web 日志 ## 🧰 使用的技术 | Technologies Used - Linux (Ubuntu) - OpenSSH - Fail2Ban - Nginx - 系统日志 (auth.log, access.log) - Git & GitHub ## ⚙️ 安装 | Setup ### 🇹🇷 bash sudo apt update && sudo apt upgrade -y sudo apt install openssh-server nginx fail2ban -y ### 🇬🇧 bash sudo apt update && sudo apt upgrade -y sudo apt install openssh-server nginx fail2ban -y ## 🔍 主要收获 | Key Learnings ### 🇹🇷 - 暴力破解攻击的工作原理 - 如何进行日志分析 - 如何使用 Fail2Ban 保护系统 - 如何分析 Web 服务器日志 ### 🇬🇧 - How brute force attacks work - How to analyze logs - How to secure systems using Fail2Ban - How to analyze web server logs ## 📁 项目结构 | Project Structure bash linux-soc-defense-lab/ │ ├── screenshots/ │ ├── 01-ssh-bruteforce-attack.png │ ├── 02-log-analysis.png │ ├── 03-fail2ban-defense.png │ ├── 04-nginx-status.png │ └── 05-web-access.png │ └── README.md ## 🔥 攻击证据 | Saldırı Kanıtı bash Failed password for root from 192.168.1.100 port 22 ssh2 Failed password for admin from 192.168.1.100 port 22 ssh2 Failed password for invalid user test from 192.168.1.100 port 22 ssh2 ## 🔒 Fail2Ban 响应 | Fail2Ban Tepkisi bash Status for the jail: sshd |- Filter | |- Currently failed: 5 | |- Total failed: 25 | `- Journal matches: _SYSTEMD_UNIT=sshd.service `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.1.100 ## ⚡ 攻击流程 | Saldırı Akışı 攻击者 IP → SSH 暴力破解 → 日志检测 → Fail2Ban 触发 → IP 被封禁 ## 🧠 检测逻辑 | Tespit Mantığı ### 🇬🇧 English - Multiple failed SSH login attempts detected via /var/log/auth.log - Repeated authentication failures from a single IP address - Threshold exceeded based on Fail2Ban configuration - Automatic banning mechanism triggered ### 🇹🇷 Türkçe - /var/log/auth.log üzerinden çoklu başarısız SSH giriş denemeleri tespit edildi - Tek bir IP adresinden tekrar eden başarısız girişler gözlemlendi - Fail2Ban yapılandırmasına göre eşik değer aşıldı - Otomatik engelleme mekanizması tetiklendi ## 🛡️ 安全结果 | Güvenlik Sonucu ### 🇬🇧 English - Brute force attack successfully identified - Malicious IP automatically blocked - Unauthorized access attempts prevented - System integrity maintained ### 🇹🇷 Türkçe - Brute force saldırısı başarıyla tespit edildi - Zararlı IP otomatik olarak engellendi - Yetkisiz erişim girişimleri önlendi - Sistem bütünlüğü korundu ## 🎯 项目价值 | Proje Değeri ### 🇬🇧 English This project demonstrates hands-on experience in: - Real-world attack detection - Log analysis and threat identification - Automated defense mechanisms - SOC-oriented security monitoring approach ### 🇹🇷 Türkçe Bu proje aşağıdaki konularda pratik deneyim sunmaktadır: - Gerçek dünya saldırı tespiti - Log analizi ve tehdit belirleme - Otomatik savunma mekanizmaları - SOC odaklı güvenlik izleme yaklaşımı ## 🚀 目的 | Purpose ### 🇹🇷 Bu proje, siber güvenlik alanında kendini geliştirmek isteyenler için pratik bir referans ve portföy çalışmasıdır. ### 🇬🇧 This project serves as a practical reference and portfolio piece for those looking to improve their cybersecurity skills. ## 👤 作者 Murat Karateke ## ⭐ 备注 本项目是作为网络安全学习过程的一部分准备的，模拟了真实世界的场景。

标签：access.log, auth.log, Fail2Ban, IP自动封禁, Linux服务器, Nginx, OpenSSH, SOC实验室, SSH暴力破解, Syslog, Web服务器监控, Web访问日志, 子域名枚举, 安全实战, 安全运营中心, 应用安全, 模拟攻击, 系统安全, 网络安全, 网络攻防, 网络映射, 隐私保护