diff --git a/Makefile b/Makefile index d256cde..6983685 100644 --- a/Makefile +++ b/Makefile @@ -28,16 +28,14 @@ clean: @rm -rf target/release/secrds-* test: - @echo "Running tests..." - @cargo test + @echo "Running Go tests..." + @cd secrds-agent && go test ./... || true + @cd secrds-cli && go test ./... || true fmt: - @echo "Formatting code..." - @cargo fmt - -clippy: - @echo "Running clippy..." - @cargo clippy -- -D warnings + @echo "Formatting Go code..." + @cd secrds-agent && go fmt ./... || true + @cd secrds-cli && go fmt ./... || true docker-build: @echo "Building Docker image..." diff --git a/QUICK_START.md b/QUICK_START.md deleted file mode 100644 index 96d15ec..0000000 --- a/QUICK_START.md +++ /dev/null @@ -1,126 +0,0 @@ -# Quick Start Guide - secrds Security Monitor - -## Issue: Agent Not Detecting SSH Attacks - -If you're seeing "No recent alerts" when SSH attacks occur, follow these steps: - -### Step 1: Make sure the service is running - -```bash -# Check if service is running -sudo systemctl status secrds - -# If not running, start it -sudo systemctl start secrds - -# Enable auto-start on boot -sudo systemctl enable secrds -``` - -### Step 2: Rebuild with updated eBPF program - -The eBPF program has been updated to better detect incoming connections: - -```bash -# Rebuild everything -make build - -# Reinstall -sudo ./install.sh -``` - -### Step 3: Test the detection - -From another server, try multiple SSH login attempts: - -```bash -# On attacker server (replace with your server IP) -for i in {1..10}; do - ssh root@YOUR_SERVER_IP "exit" 2>&1 | head -1 - sleep 0.5 -done -``` - -### Step 4: Check alerts - -```bash -# On the monitored server -secrds alerts - -# Or with more details -secrds alerts --limit 20 -``` - -### Step 5: View logs - -```bash -# View service logs -sudo journalctl -u secrds -f - -# Check if events are being received -sudo journalctl -u secrds | grep "SSH event" -``` - -## Troubleshooting - -### If still no alerts: - -1. **Check if eBPF program loaded correctly:** - ```bash - sudo journalctl -u secrds | grep "Attached kprobe" - ``` - -2. **Verify kernel supports eBPF:** - ```bash - uname -r # Should be 5.8+ - ls /sys/fs/bpf # Should exist - ``` - -3. **Check if connections are being tracked:** - ```bash - # Monitor in real-time - sudo journalctl -u secrds -f - # Then try SSH connections and see if events appear - ``` - -4. **Lower thresholds in config:** - ```bash - sudo nano /etc/secrds/config.yaml - # Set ssh_threshold: 2 - # Set ssh_window_seconds: 60 - sudo systemctl restart secrds - ``` - -5. **Test with manual run:** - ```bash - sudo /usr/local/bin/secrds-agent - # In another terminal, try SSH connections - # Press Ctrl+C to stop - ``` - -## Important Notes - -- The agent must be running **continuously** as a service to detect attacks -- Detection thresholds are now lower (3 attempts in 5 minutes) -- The eBPF program now hooks both incoming and outgoing connections -- Source IP detection has been improved - -## Service Management - -```bash -# Start service -sudo systemctl start secrds - -# Stop service -sudo systemctl stop secrds - -# Restart service -sudo systemctl restart secrds - -# Check status -secrds status - -# View alerts -secrds alerts -``` - diff --git a/README.md b/README.md index 1173086..80f311d 100644 --- a/README.md +++ b/README.md @@ -100,11 +100,42 @@ secrds restart - Logs: `/var/log/secrds/agent.log` - Binaries: `/usr/local/bin/secrds-agent`, `/usr/local/bin/secrds` +### Production Deployment + +1. **Build the project:** + ```bash + make build + ``` + +2. **Install:** + ```bash + sudo ./install.sh + ``` + +3. **Configure Telegram (required for alerts):** + ```bash + sudo nano /etc/secrds/config.yaml + # Set telegram.bot_token and telegram.chat_id + ``` + +4. **Start and enable service:** + ```bash + sudo systemctl start secrds + sudo systemctl enable secrds + ``` + +5. **Verify it's running:** + ```bash + secrds status + ``` + ### Troubleshooting - Kernel 5.8+ required: `uname -r` - Build tools: ensure `go`, `clang`, and `llvm` are installed - Telegram alerts: verify `TELEGRAM_BOT_TOKEN` and `TELEGRAM_CHAT_ID` are set and correct - IP blocking: requires `iptables` and root; see warnings in logs if a rule fails +- View logs: `journalctl -u secrds -f` +- Check alerts: `secrds alerts` --- diff --git a/TESTING.md b/TESTING.md deleted file mode 100644 index 3aa488a..0000000 --- a/TESTING.md +++ /dev/null @@ -1,180 +0,0 @@ -# Testing Guide - secrds Detection - -## Quick Test - -Run the comprehensive test script: - -```bash -sudo ./fix-and-test.sh -``` - -This will: -1. Check service status -2. Rebuild the project -3. Reinstall everything -4. Verify service is running -5. Check eBPF program attachment -6. Run SSH attack simulation -7. Verify alerts are generated - -## Manual Testing - -### Step 1: Ensure service is running - -```bash -sudo systemctl status secrds -# If not running: -sudo systemctl start secrds -``` - -### Step 2: Run test script - -```bash -./test-ssh-attacks.sh 10 -``` - -This makes 10 SSH connection attempts and checks for alerts. - -### Step 3: Check alerts - -```bash -secrds alerts -``` - -## Debugging - -### View real-time logs - -```bash -sudo journalctl -u secrds -f -``` - -Look for: -- `[DEBUG] SSH event received` - Events are being captured -- `[DEBUG] Threat detected` - Threats are being identified -- `Attached kprobe` - eBPF program loaded correctly - -### Check if events are received - -```bash -sudo journalctl -u secrds | grep "SSH event received" -``` - -### Check eBPF program attachment - -```bash -sudo journalctl -u secrds | grep "Attached kprobe" -``` - -Should show: -- `Attached kprobe to inet_csk_accept` (incoming connections) -- `Attached kprobe to tcp_v4_connect` (outgoing connections) - -### Check storage file - -```bash -cat /var/lib/secrds/events.json | jq . -# Or without jq: -cat /var/lib/secrds/events.json -``` - -## Common Issues - -### Issue: No alerts detected - -**Possible causes:** - -1. **Service not running** - ```bash - sudo systemctl start secrds - ``` - -2. **eBPF program not attached** - - Check kernel version: `uname -r` (needs 5.8+) - - Check logs: `sudo journalctl -u secrds | grep "Attached"` - - Kernel might not export `inet_csk_accept` symbol - -3. **Source IP detection failing** - - Check logs for "invalid IP" or "0.0.0.0" - - Socket structure offsets might be wrong for your kernel - -4. **Thresholds too high** - - Check config: `cat /etc/secrds/config.yaml` - - Default is 3 attempts in 5 minutes - - Lower if needed: `ssh_threshold: 2` - -### Issue: Events received but no alerts - -- Check detection thresholds in config -- Check logs for "Threat detected" messages -- Verify threat score calculation - -### Issue: Invalid IP addresses - -If you see IPs like `0.0.0.0` or invalid addresses: -- Socket structure offsets need adjustment for your kernel -- Try rebuilding with different offsets -- Check kernel version compatibility - -## Testing from Remote Server - -To test from another server: - -```bash -# On remote server -for i in {1..10}; do - ssh root@TARGET_SERVER_IP "exit" 2>&1 | head -1 - sleep 0.5 -done - -# On target server -secrds alerts -``` - -## Configuration - -Edit `/etc/secrds/config.yaml`: - -```yaml -ssh_threshold: 3 # Number of attempts to trigger alert -ssh_window_seconds: 300 # Time window (5 minutes) -enable_ip_blocking: true # Auto-block detected IPs -``` - -Lower thresholds for more sensitive detection: -```yaml -ssh_threshold: 2 -ssh_window_seconds: 60 -``` - -## Expected Behavior - -After making SSH connection attempts, you should see: - -1. **Events in logs:** - ``` - [DEBUG] SSH event received: IP=127.0.0.1, Port=22, PID=1234, Type=0 - ``` - -2. **Threat detection:** - ``` - [DEBUG] Threat detected: IP=127.0.0.1, Type=SSH_BRUTE_FORCE, Severity=MEDIUM, Count=3, Score=9.0 - ``` - -3. **Alerts:** - ``` - 🟠 [MEDIUM] SSH_BRUTE_FORCE - Time: 2024-01-01 12:00:00 UTC - IP: 127.0.0.1 - Count: 3 - Score: 9.0 - Details: Brute force detected: 3 attempts in 5 minutes - ``` - -## Performance - -- Detection happens in real-time -- Alerts are stored immediately -- Storage file is flushed every 60 seconds -- No performance impact on SSH connections - diff --git a/clear-all.sh b/clear-all.sh deleted file mode 100755 index 0ecded1..0000000 --- a/clear-all.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -# Quick script to clear all logs and storage - -set -e - -# Check if running as root -if [ "$EUID" -eq 0 ]; then - SUDO="" -else - SUDO="sudo" -fi - -echo "Clearing all secrds logs and storage..." - -# Stop service -$SUDO systemctl stop secrds 2>/dev/null || true - -# Clear storage -$SUDO rm -f /var/lib/secrds/events.json -$SUDO mkdir -p /var/lib/secrds - -# Clear logs -$SUDO journalctl --vacuum-time=1s -u secrds > /dev/null 2>&1 || true - -# Restart service -$SUDO systemctl start secrds - -echo "✓ All cleared! Service restarted." -echo "" -echo "Run test: ./fresh-test.sh" - diff --git a/faild_ssh_test.sh b/faild_ssh_test.sh deleted file mode 100755 index 003ee89..0000000 --- a/faild_ssh_test.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -# ssh_fail_10.sh — attempt 10 failed SSH logins to localhost (these WILL appear in system auth logs) -set -eu - -HOST=127.0.0.1 -PORT=22 # change to another port if needed -USER=nonexistent # intentionally wrong user -PASSWORD=wrongpass -COUNT=10 -SLEEP=0.2 # short pause between attempts - -command -v sshpass >/dev/null 2>&1 || { echo "Install sshpass first (sudo apt install sshpass)"; exit 1; } - -for i in $(seq 1 $COUNT); do - echo "Attempt $i/$COUNT -> $USER@$HOST:$PORT" - # Force password auth, disable pubkey so it tries password and fails. - sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - -o PreferredAuthentications=password \ - -o PubkeyAuthentication=no \ - -p "$PORT" \ - -o ConnectTimeout=5 \ - "$USER@$HOST" "exit" \ - 2>/dev/null || true - sleep "$SLEEP" -done - -echo "Done." diff --git a/fix-and-test.sh b/fix-and-test.sh deleted file mode 100755 index ba57a64..0000000 --- a/fix-and-test.sh +++ /dev/null @@ -1,187 +0,0 @@ -#!/bin/bash -# Comprehensive fix and test script for secrds detection - -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -BLUE='\033[0;34m' -NC='\033[0m' - -# Check if running as root -if [ "$EUID" -eq 0 ]; then - SUDO="" - echo -e "${YELLOW}Running as root, skipping sudo${NC}" -else - SUDO="sudo" - echo -e "${YELLOW}Not running as root, will use sudo${NC}" -fi - -echo -e "${BLUE}========================================${NC}" -echo -e "${BLUE}secrds Detection Fix & Test Script${NC}" -echo -e "${BLUE}========================================${NC}" -echo "" - -# Step 1: Check if service is running -echo -e "${YELLOW}[1/6] Checking service status...${NC}" -if $SUDO systemctl is-active --quiet secrds 2>/dev/null; then - echo -e "${GREEN}✓ Service is running${NC}" - SERVICE_RUNNING=true -else - echo -e "${RED}✗ Service is NOT running${NC}" - SERVICE_RUNNING=false -fi -echo "" - -# Step 2: Rebuild -echo -e "${YELLOW}[2/6] Rebuilding project...${NC}" -if make build; then - echo -e "${GREEN}✓ Build successful${NC}" -else - echo -e "${RED}✗ Build failed${NC}" - exit 1 -fi -echo "" - -# Step 3: Reinstall -echo -e "${YELLOW}[3/6] Reinstalling...${NC}" -if $SUDO ./install.sh 2>&1 | tail -20; then - echo -e "${GREEN}✓ Installation complete${NC}" -else - echo -e "${RED}✗ Installation failed${NC}" - exit 1 -fi -echo "" - -# Step 4: Verify service -echo -e "${YELLOW}[4/6] Verifying service...${NC}" -sleep 2 -if $SUDO systemctl is-active --quiet secrds 2>/dev/null; then - echo -e "${GREEN}✓ Service is running${NC}" -else - echo -e "${YELLOW}⚠ Service not running, attempting to start...${NC}" - $SUDO systemctl start secrds - sleep 2 - if $SUDO systemctl is-active --quiet secrds 2>/dev/null; then - echo -e "${GREEN}✓ Service started${NC}" - else - echo -e "${RED}✗ Failed to start service${NC}" - echo "Check logs: sudo journalctl -u secrds -n 50" - exit 1 - fi -fi -echo "" - -# Step 5: Check eBPF program -echo -e "${YELLOW}[5/6] Checking eBPF program attachment...${NC}" -if $SUDO journalctl -u secrds --no-pager 2>/dev/null | grep -q "Attached kprobe"; then - echo -e "${GREEN}✓ eBPF program attached${NC}" - $SUDO journalctl -u secrds --no-pager 2>/dev/null | grep "Attached kprobe" | tail -3 -else - echo -e "${YELLOW}⚠ No kprobe attachment found in logs${NC}" -fi -echo "" - -# Step 6: Run test -echo -e "${YELLOW}[6/6] Running SSH attack simulation...${NC}" -echo "" - -# Check if sshpass is installed -if ! command -v sshpass &> /dev/null; then - echo -e "${YELLOW}Installing sshpass for testing...${NC}" - $SUDO apt-get update -qq && $SUDO apt-get install -y sshpass > /dev/null 2>&1 || { - echo -e "${RED}Failed to install sshpass. Install manually: apt install sshpass${NC}" - exit 1 - } -fi - -# Clear old alerts for clean test -echo -e "${YELLOW}Clearing old alerts...${NC}" -$SUDO rm -f /var/lib/secrds/events.json -$SUDO systemctl restart secrds -sleep 2 - -# Make test attempts -ATTEMPTS=5 -echo -e "${BLUE}Making ${ATTEMPTS} SSH connection attempts...${NC}" -echo "" - -for i in $(seq 1 $ATTEMPTS); do - echo -n " Attempt $i/$ATTEMPTS... " - - # Try SSH with wrong password - timeout 2 sshpass -p "wrongpass123" ssh -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - -o PreferredAuthentications=password \ - -o PubkeyAuthentication=no \ - -o ConnectTimeout=2 \ - -o BatchMode=yes \ - root@localhost "exit" 2>/dev/null || true - - sleep 0.5 - echo "done" -done - -echo "" -echo -e "${YELLOW}Waiting for detection...${NC}" -sleep 3 - -# Check for alerts -ALERT_COUNT=$(secrds alerts 2>/dev/null | grep -c "SSH_BRUTE_FORCE\|SSH" || echo "0") - -echo "" -echo -e "${BLUE}========================================${NC}" -echo -e "${BLUE}Test Results${NC}" -echo -e "${BLUE}========================================${NC}" -echo "" - -if [ "$ALERT_COUNT" -gt 0 ]; then - echo -e "${GREEN}✓ SUCCESS: Alerts detected!${NC}" - echo "" - echo -e "${YELLOW}Recent alerts:${NC}" - secrds alerts --limit 3 - echo "" - echo -e "${GREEN}Detection is working correctly!${NC}" -else - echo -e "${RED}✗ FAILED: No alerts detected${NC}" - echo "" - echo -e "${YELLOW}Debugging information:${NC}" - echo "" - - # Check logs - echo -e "${BLUE}Recent service logs:${NC}" - $SUDO journalctl -u secrds -n 30 --no-pager 2>/dev/null | tail -20 - echo "" - - # Check if events are being received - echo -e "${BLUE}Checking for SSH events in logs:${NC}" - if $SUDO journalctl -u secrds --no-pager 2>/dev/null | grep -q "SSH event received"; then - echo -e "${GREEN}✓ Events are being received${NC}" - $SUDO journalctl -u secrds --no-pager 2>/dev/null | grep "SSH event received" | tail -5 - else - echo -e "${RED}✗ No SSH events found in logs${NC}" - echo "" - echo -e "${YELLOW}Possible issues:${NC}" - echo " 1. eBPF program not detecting connections" - echo " 2. Source IP detection failing (check for 'invalid IP' messages)" - echo " 3. Kernel doesn't support required kprobes" - echo "" - echo -e "${YELLOW}Try manual test:${NC}" - echo " /usr/local/bin/secrds-agent" - echo " # In another terminal, try: ssh root@localhost" - fi - echo "" - - # Check storage - if [ -f "/var/lib/secrds/events.json" ]; then - echo -e "${BLUE}Storage file contents:${NC}" - cat /var/lib/secrds/events.json | python3 -m json.tool 2>/dev/null | head -30 || cat /var/lib/secrds/events.json | head -30 - fi - - exit 1 -fi - -echo "" -echo -e "${GREEN}All tests passed!${NC}" - diff --git a/fresh-test.sh b/fresh-test.sh deleted file mode 100755 index 51d4606..0000000 --- a/fresh-test.sh +++ /dev/null @@ -1,140 +0,0 @@ -#!/bin/bash -# Fresh test script - clears all logs and runs clean test - -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -BLUE='\033[0;34m' -NC='\033[0m' - -# Check if running as root -if [ "$EUID" -eq 0 ]; then - SUDO="" -else - SUDO="sudo" -fi - -echo -e "${BLUE}========================================${NC}" -echo -e "${BLUE}Fresh Test - Clear All & Test${NC}" -echo -e "${BLUE}========================================${NC}" -echo "" - -# Step 1: Stop service -echo -e "${YELLOW}[1/5] Stopping service...${NC}" -$SUDO systemctl stop secrds 2>/dev/null || true -sleep 1 -echo -e "${GREEN}✓ Service stopped${NC}" -echo "" - -# Step 2: Clear storage file -echo -e "${YELLOW}[2/5] Clearing storage file...${NC}" -$SUDO rm -f /var/lib/secrds/events.json -$SUDO mkdir -p /var/lib/secrds -echo -e "${GREEN}✓ Storage cleared${NC}" -echo "" - -# Step 3: Clear systemd logs -echo -e "${YELLOW}[3/5] Clearing systemd logs...${NC}" -$SUDO journalctl --vacuum-time=1s -u secrds > /dev/null 2>&1 || true -echo -e "${GREEN}✓ Logs cleared${NC}" -echo "" - -# Step 4: Restart service -echo -e "${YELLOW}[4/5] Restarting service...${NC}" -$SUDO systemctl start secrds -sleep 2 - -if $SUDO systemctl is-active --quiet secrds 2>/dev/null; then - echo -e "${GREEN}✓ Service started${NC}" -else - echo -e "${RED}✗ Failed to start service${NC}" - exit 1 -fi -echo "" - -# Step 5: Run test -echo -e "${YELLOW}[5/5] Running fresh SSH attack test...${NC}" -echo "" - -# Check if sshpass is installed -if ! command -v sshpass &> /dev/null; then - echo -e "${YELLOW}Installing sshpass...${NC}" - $SUDO apt-get update -qq && $SUDO apt-get install -y sshpass > /dev/null 2>&1 || { - echo -e "${RED}Failed to install sshpass${NC}" - exit 1 - } -fi - -# Make test attempts -ATTEMPTS=5 -echo -e "${BLUE}Making ${ATTEMPTS} SSH connection attempts...${NC}" -echo "" - -for i in $(seq 1 $ATTEMPTS); do - echo -n " Attempt $i/$ATTEMPTS... " - - # Try SSH with wrong password - timeout 2 sshpass -p "wrongpass123" ssh -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - -o PreferredAuthentications=password \ - -o PubkeyAuthentication=no \ - -o ConnectTimeout=2 \ - -o BatchMode=yes \ - root@localhost "exit" 2>/dev/null || true - - sleep 0.5 - echo "done" -done - -echo "" -echo -e "${YELLOW}Waiting for detection...${NC}" -sleep 3 - -# Check for alerts -ALERT_COUNT=$(secrds alerts 2>/dev/null | grep -c "SSH_BRUTE_FORCE\|SSH" || echo "0") - -echo "" -echo -e "${BLUE}========================================${NC}" -echo -e "${BLUE}Test Results${NC}" -echo -e "${BLUE}========================================${NC}" -echo "" - -if [ "$ALERT_COUNT" -gt 0 ]; then - echo -e "${GREEN}✓ SUCCESS: Alerts detected!${NC}" - echo "" - echo -e "${YELLOW}Recent alerts:${NC}" - secrds alerts --limit 5 - echo "" - - # Show debug logs - echo -e "${YELLOW}Recent debug logs:${NC}" - $SUDO journalctl -u secrds --no-pager -n 50 2>/dev/null | grep -E "DEBUG|SSH event|Threat detected" | tail -10 || echo "No debug logs found" - echo "" - - echo -e "${GREEN}✓ Fresh test PASSED!${NC}" -else - echo -e "${RED}✗ FAILED: No alerts detected${NC}" - echo "" - - # Show recent logs - echo -e "${YELLOW}Recent service logs:${NC}" - $SUDO journalctl -u secrds --no-pager -n 30 2>/dev/null | tail -20 - echo "" - - # Check for events - echo -e "${YELLOW}Checking for SSH events:${NC}" - if $SUDO journalctl -u secrds --no-pager 2>/dev/null | grep -q "SSH event received"; then - echo -e "${GREEN}✓ Events received:${NC}" - $SUDO journalctl -u secrds --no-pager 2>/dev/null | grep "SSH event received" | tail -5 - else - echo -e "${RED}✗ No SSH events found${NC}" - fi - - exit 1 -fi - -echo "" -echo -e "${GREEN}All tests passed!${NC}" - diff --git a/install.sh b/install.sh index 9541675..963f9d5 100755 --- a/install.sh +++ b/install.sh @@ -136,11 +136,20 @@ fi if [ ! -f "$CONFIG_DIR/config.yaml" ]; then echo -e "${YELLOW}Creating default configuration...${NC}" cat > "$CONFIG_DIR/config.yaml" <>24), byte(event.IP>>16), byte(event.IP>>8), byte(event.IP)) - fmt.Printf("[DEBUG] SSH event received: IP=%s, Port=%d, PID=%d, Type=%d\n", - ipStr, event.Port, event.PID, event.EventType) - if err := ep.detector.ProcessSSHEvent(event.IP, event.Port, event.PID, event.EventType); err != nil { fmt.Printf("Failed to process SSH event: %v\n", err) } diff --git a/test-ssh-attacks.sh b/test-ssh-attacks.sh deleted file mode 100755 index 17a4043..0000000 --- a/test-ssh-attacks.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash -# Test script to simulate SSH brute force attacks -# This will make multiple failed SSH login attempts - -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -NC='\033[0m' - -echo -e "${YELLOW}SSH Attack Simulation Test${NC}" -echo "================================" -echo "" - -# Check if service is running -if ! systemctl is-active --quiet secrds 2>/dev/null; then - echo -e "${RED}ERROR: secrds service is not running!${NC}" - echo "Start it with: sudo systemctl start secrds" - exit 1 -fi - -echo -e "${GREEN}✓ secrds service is running${NC}" - -# Get local IP -LOCAL_IP=$(hostname -I | awk '{print $1}') -echo -e "${YELLOW}Testing from: ${LOCAL_IP}${NC}" -echo "" - -# Number of attempts -ATTEMPTS=${1:-10} -echo -e "${YELLOW}Making ${ATTEMPTS} SSH connection attempts...${NC}" -echo "" - -# Count successful detections -SUCCESS_COUNT=0 - -for i in $(seq 1 $ATTEMPTS); do - echo -n "Attempt $i/$ATTEMPTS... " - - # Try SSH connection with wrong password - timeout 2 sshpass -p "wrongpassword123" ssh -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - -o PreferredAuthentications=password \ - -o PubkeyAuthentication=no \ - -o ConnectTimeout=2 \ - -o BatchMode=yes \ - root@localhost "exit" 2>/dev/null || true - - sleep 0.3 - - # Check for alerts - ALERT_COUNT=$(secrds alerts 2>/dev/null | grep -c "SSH_BRUTE_FORCE" || echo "0") - - if [ "$ALERT_COUNT" -gt 0 ]; then - echo -e "${GREEN}✓ Alert detected!${NC}" - SUCCESS_COUNT=$((SUCCESS_COUNT + 1)) - else - echo "No alert yet" - fi -done - -echo "" -echo "================================" -echo -e "${YELLOW}Test Results:${NC}" -echo "Attempts made: $ATTEMPTS" -echo "Alerts detected: $SUCCESS_COUNT" - -# Show recent alerts -echo "" -echo -e "${YELLOW}Recent alerts:${NC}" -secrds alerts --limit 5 - -if [ "$SUCCESS_COUNT" -gt 0 ]; then - echo "" - echo -e "${GREEN}✓ Test PASSED - Detection is working!${NC}" - exit 0 -else - echo "" - echo -e "${RED}✗ Test FAILED - No alerts detected${NC}" - echo "" - echo -e "${YELLOW}Troubleshooting steps:${NC}" - echo "1. Check service logs: sudo journalctl -u secrds -n 50" - echo "2. Check if eBPF program loaded: sudo journalctl -u secrds | grep 'Attached kprobe'" - echo "3. Verify service is running: sudo systemctl status secrds" - echo "4. Check storage file: cat /var/lib/secrds/events.json | jq .alerts" - exit 1 -fi -