Bash Practice: Log Hunter (Mobile‑Friendly)

This lab simulates a real SOC / Helpdesk task: isolating attacker IPs from Linux authentication logs. The environment below works on mobile and desktop.

Scenario

You are investigating repeated SSH login failures. Your goal is to extract only the IP addresses associated with failed attempts.

Instructions

  1. Review the simulated auth.log file.
  2. Use grep to filter only Failed password events.
  3. Pipe the output into awk to print only the IP address field.
Jan 29 08:05:23 server sshd[1235]: Failed password for invalid user admin from 192.168.1.10 port 51234 Jan 29 08:05:25 server sshd[1236]: Failed password for root from 10.0.0.5 port 44421 Jan 29 09:15:01 server sshd[1237]: Failed password for user test from 203.0.113.9 port 33455 Jan 29 10:00:00 server CRON[1238]: (root) CMD (backup.sh)
Interview Signal:
"I filtered authentication failures and piped the results into awk to isolate attacker IPs for escalation or blocking."

Bash - Why This Matters: The Command Line in the Age of AI

In cybersecurity, the Command Line Interface (Bash) is the ground truth. While Graphical User Interfaces (GUIs) offer comfort, they hide the machinery. Bash allows you to talk directly to the kernel, bypassing the "pretty buttons" to see what is actually happening. It serves two critical roles in the industry:

  • Visibility (The Truth): GUIs summarize; Bash reveals. When a server is compromised, the attacker doesn't use a mouse. They live in the terminal. To catch them, you must be comfortable in their environment.

  • Scale (The Multiplier): You cannot secure the cloud with a mouse. Clicking a button takes a second; scripting a loop takes a second but applies to 10,000 servers instantly.

The AI Evolution Historically, the main barrier to mastering Bash was Syntax. Memorizing obscure flags took years of practice. Artificial Intelligence is changing the math.

AI tools don't just assist; they generate. However, AI lacks Intent. It will happily write a script that uses chmod 777 (insecure) because it solves the error you complained about. In this new era, you are no longer just a Writer; you are an Auditor. If you cannot read Bash, you cannot verify the AI's work.

In this lab, you will move from "memorizing commands" to "understanding logic," ensuring you remain the pilot—not the passenger.

Activity 2: The “Sloppy Perms” Audit

The Concept: “Permission 777” is the mark of a lazy developer and a happy hacker. It means anyone can read, write, or delete the file. Your job is to spot it instantly with ls -l, then fix it with chmod.

Instructions

  1. Run execute to “generate files” (simulated).
  2. Task 1: Run ls -l and identify the risk: db_config.txt has -rwxrwxrwx.
  3. Task 2: Lock it down: chmod 600 db_config.txt.
  4. Task 3: Make the deploy script executable: chmod +x deploy.sh.
  5. Task 4: Verify: run ls -l again.
Allowed commands:
execute
ls -l
chmod 600 db_config.txt
chmod +x deploy.sh
help / reset
Tip: start with execute, then run ls -l.
$
Interview Signal:
“I audit Linux permissions with ls -l, identify over-permissive files (like 777 configs), lock them down with chmod, and verify changes.”

Activity 3: The Shadow Finder (Forensics)

The Concept: Attackers hide malware using dotfiles and deep directories. As a responder, you use find to locate what ls can’t see.

Instructions

  1. Run execute to generate a compromised system.
  2. Find hidden files with find /tmp -name ".*".
  3. Find recent activity with find /tmp -mmin -60.
  4. Analyze the payload using file [path].
$
Interview Signal:
“I use find to locate hidden or recently modified files and verify suspicious artifacts with the file command.”

Activity 4: The User Investigator (Identity Persistence)

The Concept: Attackers often leave a “boring-looking” backdoor user for persistence. If its UID = 0, it has root privileges — even if it’s not named root. This is a classic identity compromise.

Instructions

  1. Run execute to load a suspicious password file.
  2. Use cat suspicious_passwd for the eye test.
  3. Reduce noise with cut -d: -f1,3 suspicious_passwd.
  4. Catch the impostor: pipe to grep ":0".
Allowed commands:
execute
cat suspicious_passwd
cut -d: -f1,3 suspicious_passwd
cut -d: -f1,3 suspicious_passwd | grep ":0"
help / reset
Tip: start with execute.
$
Interview Signal:
“I audit user persistence by inspecting passwd entries, extracting usernames and UIDs, and flagging any non-root accounts with UID 0.”

Activity 5: The Configuration Hardener (Automated Defense)

The Concept: Manual edits don’t scale. Defenders harden systems by applying **repeatable configuration changes**. sed lets you patch security settings across hundreds or thousands of servers.

Instructions

  1. Run execute to load an insecure sshd_config.
  2. Confirm the risk with grep "PasswordAuthentication" sshd_config.
  3. Apply the fix using sed -i 's/yes/no/' sshd_config.
  4. Verify the change by running your grep command again.
Allowed commands:
execute
grep "PasswordAuthentication" sshd_config
sed -i 's/yes/no/' sshd_config
help / reset
Tip: start with execute.
$
Interview Signal:
“I validate insecure configuration with grep, then automate hardening using sed so changes can be applied consistently at scale.”

Activity 6: The “Runaway” Process (Incident Response)

The Concept: When CPU usage spikes, responders don’t reboot blindly. They identify the Process ID (PID) responsible and terminate it with precision.

Instructions

  1. Run execute to simulate a rogue crypto-miner.
  2. Hunt it with ps -ef | grep sleep.
  3. Terminate it using kill [PID].
  4. Verify the process is gone.
Allowed commands:
execute
ps -ef | grep sleep
kill 4242
help / reset
Tip: start with execute.
$
Interview Signal:
“I identify runaway processes using ps, confirm the PID, and terminate them surgically with kill instead of rebooting production systems.”

Activity 7: The Evidence Collector (Forensics)

The Concept: In forensics, evidence must be preserved and transported safely. Analysts “bag and tag” artifacts using tar so nothing is altered during transfer.

Instructions

  1. Run execute to generate scattered evidence.
  2. Bag the evidence with tar -czvf evidence.tar.gz case_404_evidence.
  3. Verify the archive exists using ls -l.
  4. Inspect contents with tar -tvf evidence.tar.gz.
Allowed commands:
execute
tar -czvf evidence.tar.gz case_404_evidence
ls -l
tar -tvf evidence.tar.gz
help / reset
Tip: start with execute.
$
Interview Signal:
“I preserve forensic evidence by packaging artifacts with tar, verifying the archive, and inspecting contents without modifying them.”

Activity 8: The “Red Alert” Script (Automation)

The Concept: Monitoring scripts don’t wait for humans. They use if / else logic to decide: “IF this indicator exists, THEN raise an alert.”

Instructions

  1. Run execute to simulate a detected compromise.
  2. Write an if statement that checks for the flag file.
  3. Echo an alert message if the file exists.
  4. Echo System clean. if it does not.
Allowed commands:
execute
if [ -f /tmp/compromise_detected.flag ]
then / else / fi
echo "message"
help / reset
Tip: start with execute.
$
Interview Signal:
“I use conditional logic in Bash to automate alerts by checking for compromise indicators and responding without human intervention.”

Activity 9: The Mass Sweeper (Automation)

The Concept: Security at scale requires automation. Analysts use for loops to apply actions (like blocking IPs) across an entire threat feed in seconds.

Instructions

  1. Run execute to load the threat intelligence feed.
  2. Start the loop with for ip in $BAD_IPS; do.
  3. Add echo "Blocking target: $ip" inside the loop.
  4. Close the loop with done.
Allowed commands:
execute
for ip in $BAD_IPS; do
echo "Blocking target: $ip"
done
help / reset
Tip: start with execute.
$
Interview Signal:
“I automate repetitive security actions using Bash for loops to process threat intelligence feeds at scale.”

Activity 10: Capstone — The “First Responder” Script

The Concept: This is Blue Team engineering. Your script automatically detects an IOC, hunts the malicious process, and neutralizes it — without human intervention.

Instructions

  1. Run execute to simulate an active compromise.
  2. Detect the IOC using if [ -f "$IOC_FILE" ].
  3. Hunt the malware with TARGET_PID=$(pgrep sleep).
  4. Terminate it using kill $TARGET_PID.
  5. Confirm the system reports SUCCESS.
Allowed commands:
execute
if [ -f "$IOC_FILE" ]
TARGET_PID=$(pgrep sleep)
kill $TARGET_PID
help / reset
Tip: start with execute.
$
Interview Signal:
“I built an automated first-responder script that detects IOCs, identifies malicious processes, and terminates them without human intervention.”