Brute Force Detection

Detect and respond to SSH and RDP brute force attacks using Wazuh active response and Windows Event Log monitoring.

Lab Environment

Ubuntu Server (SSH target + Wazuh Agent), Windows 10 (RDP target + Wazuh Agent), Kali Linux (Attacker), Wazuh Manager.

Attack Scenario

Attacker used Hydra to perform dictionary attacks against SSH (Ubuntu) and RDP (Windows) services using a common password wordlist. Attacks simulated both slow and fast brute force patterns.

Detection Method

SSH: Monitored /var/log/auth.log for repeated 'Failed password' entries. Wazuh rule 5710 (SSH authentication failure) triggered aggregation alerts after 5 failures within 60 seconds. RDP: Windows Security Event ID 4625 (Failed Logon) tracked with custom Wazuh rules for threshold-based alerting.