For the past few days I’ve been doing something unusual.
Instead of only learning cybersecurity theory, I’ve been building the tools that security engineers actually use.
I built scanners.
I exploited vulnerabilities.
I detected secrets in source code.
Today I switched sides.
Today I became the defender.
The Problem Nobody Notices (Until It’s Too Late)
Every Linux server quietly keeps a diary.
Inside:
/var/log/auth.log
And it looks harmless… until you actually read it:
Mar 14 03:22:14 server sshd[9841]: Failed password for root from 45.33.32.156 port 42190 ssh2
Mar 14 03:22:15 server sshd[9842]: Failed password for root from 45.33.32.156 port 42191 ssh2
Mar 14 03:22:16 server sshd[9843]: Failed password for admin from 45.33.32.156 port 42192 ssh2
This is not a user making mistakes.
This is an automated brute-force attack happening right now.
Here’s the scary part:
Most beginners never open this file.
But attackers already know it exists.
So I asked a simple question:
What if I could automatically detect attacks just by reading logs?
That became LogGuardian.
Where It Started (20 Lines)
My first version was extremely small.
It only counted failed logins per IP.
import re
from collections import defaultdict
log_file = "server.log"
failed_attempts = defaultdict(int)
with open(log_file, "r") as file:
for line in file:
if "Failed password" in line:
ip = re.search(r'from (\d+\.\d+\.\d+\.\d+)', line)
if ip:
failed_attempts[ip.group(1)] += 1
for ip, count in failed_attempts.items():
if count >= 3:
print(f"[ALERT] Possible brute-force attack from {ip} ({count} failed attempts)")
It worked.
But it was basically a calculator, not a security tool.
Real security teams need answers like:
- Who is attacking?
- What usernames are targeted?
- Did the attacker actually succeed?
So I kept going.
Turning Logs Into Intelligence
SSH logs actually contain multiple types of events:
| Event | Meaning |
|---|---|
| Failed password | Wrong password attempt |
| Invalid user | Username doesn't exist |
| Accepted password | Successful login |
| Accepted publickey | SSH key login |
So I upgraded the parser to track:
- IP addresses
- usernames targeted
- successful logins
- timestamps
Key trick:
errors="replace"
Attackers sometimes send malformed bytes. Without this, one bad line crashes your program. Real logs are messy. Security tools must survive messy data.
The First Real Security Feature — Threat Levels
Three failed attempts ≠ 3000 failed attempts.
So LogGuardian classifies attackers:
- 🟢 LOW
- 🟡 MEDIUM
- 🟠 HIGH
- 🔴 CRITICAL
def threat_level(count, thresholds):
low, med, high = thresholds
if count >= high:
return "CRITICAL"
elif count >= med:
return "HIGH"
elif count >= low:
return "MEDIUM"
else:
return "LOW"
Now the log file isn’t just text.
It’s a threat map.
The Scariest Scenario (And Why This Matters)
I added one small check that changed everything:
What if an IP fails many times… and then logs in successfully?
pwned = [(ip, n) for ip, n in sorted_ips if ip in successful]
This detects:
Credential stuffing success.
In other words:
The attacker guessed the password.
LogGuardian marks it as:
⚠ DANGER ZONE — BREACH SUSPECTED
45.33.32.156 80 failures + 1 success
That is literally how many real security incidents are first discovered.
Making a CLI Security Tool
I didn’t want a script.
I wanted a tool.
So I added argparse:
python3 logguardian.py /var/log/auth.log
Options:
- custom threat thresholds
- export report
- disable colors
- large log support
- generate a fake attacked log
python3 logguardian.py --generate-sample
This lets anyone test the tool instantly.
Actionable Output (Important)
Security tools should not just say:
“Something is wrong.”
They should say:
“Here’s exactly what to do.”
LogGuardian prints ready-to-use firewall commands:
sudo ufw deny from 45.33.32.156 to any
No guessing. No Googling under pressure.
What I Actually Learned
Today’s lesson was bigger than Python.
I accidentally learned how SIEM systems work.
Tools like:
- Splunk
- Wazuh
- Elastic Security
do the same thing, just at massive scale.
They:
- Collect logs
- Parse events
- Detect patterns
- Raise alerts
- Recommend response
LogGuardian does all five.
Just locally.
Just with Python.
Try It Yourself
python3 logguardian.py --generate-sample
python3 logguardian.py server.log
Or analyze your own machine:
sudo python3 logguardian.py /var/log/auth.log
You might be surprised.
Even a personal computer gets login attempts from bots on the internet.
What’s Next
Planned upgrades:
- live monitoring mode (tail -f detection)
- automatic IP blocking
- GeoIP attacker mapping
- fail2ban integration
We started this series by attacking vulnerable apps.
Now we are detecting attackers.
And that moment felt important.
Because cybersecurity isn’t just breaking systems.
It’s protecting people who don’t even know they were targeted.
Top comments (0)