How to investigate suspicious SSH logins without giving AI a shell
The article discusses how to investigate suspicious SSH logins effectively without compromising system integrity. It emphasizes the importance of gathering evidence in a read-only manner to avoid altering the host or producing unverifiable results. Key steps include analyzing authentication patterns, account context, session activity, and potential persistence changes.
- ▪Investigating suspicious SSH logins often starts with identifying failed attempts or unusual login times.
- ▪A read-only evidence collection approach is recommended to prevent altering the system during the investigation.
- ▪The initial report should focus on authentication patterns, account context, session activity, and any changes in persistence.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3958231) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Qimin Zhao Posted on May 29 How to investigate suspicious SSH logins without giving AI a shell #incidentresponse #linux #security #opensource A lot of Linux incident response starts with a login question, not a malware sample. Someone sees a spike of failed SSH attempts. A root login appears in the wrong time window. A service account logs in from an address nobody recognizes. A helpdesk ticket says "the server looks weird" and the only concrete clue is a username or IP address.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
