Mission 286

Incident suspicious login

Search auth evidence and SSH policy together.

Troubleshooting
8 minutes Advanced Lesson 286 of 360
grepjournalctl
Lesson 286 of 360 0/360 lessons 0/17 missions Troubleshooting · 8 minutes
0%
Continue View profile
Ops lab terminal Training lab
New learnerrank 0XP 0%complete
learner@clairos:/home/learner $ Unix ops lab: type a command, press Enter
Instructions 8 minutes

Click any instruction for the command details, the why, and the common mistake to avoid.

Find denied logins

Run grep denied /var/log/auth.log.

grep denied /var/log/auth.log
Read recent SSH journal

Run journalctl -u ssh -n 2.

journalctl -u ssh -n 2
Check root policy

Run grep PermitRootLogin /etc/ssh/sshd_config.

grep PermitRootLogin /etc/ssh/sshd_config
Lesson support

What to notice while you play.

Objective

Search auth evidence and SSH policy together.

Hint

Run the commands in order and compare the outputs.

Why it matters

Junior operators build confidence by gathering evidence before changing systems.

Common mistakes
  • Skipping the inspection step.
  • Assuming one command tells the whole story.
Reference

Commands in this lesson.

grep [-i] <text> <file>

Find literal text inside a file.

journalctl -u <service>

Read simulated service journal entries.