I am documenting every day of my cybersecurity learning journey publicly. This post covers Days 8 through 12 — the first half of Week 2.
The log analyzer and what it found
The most significant thing I built this week is a Python log analyzer. It reads Linux auth.log files, finds every failed SSH login attempt, extracts the source IP from each one, and counts how many times each IP tried.
Here is the core logic:
from collections import Counter
failed_ips = []
with open("/var/log/auth.log", "r") as f:
for line in f:
if "Failed password" in line:
parts = line.split()
for i, part in enumerate(parts):
if part == "from":
failed_ips.append(parts[i + 1])
ip_counts = Counter(failed_ips)
for ip, count in ip_counts.most_common(10):
print(ip + " — " + str(count) + " attempts")
I ran this against my actual Kali machine's auth.log. My system has been running for less than two weeks. The output showed real external IP addresses that had attempted SSH brute force attacks — automated scanners crawling the internet looking for systems with weak SSH credentials.
That is what SOC analysts see at enterprise scale — except they are watching thousands of servers simultaneously using SIEM tools. My script does the same thing for a single log file. Writing it at the code level makes the enterprise workflow more intuitive.
Security+ — 5 days of study
Started CompTIA Security+ SY0-701 on Day 8 using Professor Messer's free course. Here is what the first five days covered.
Malware types — the most tested area of Domain 2
The distinction that appears most on practice tests: virus vs worm.
A virus requires human action to spread. It attaches to files and moves when those files are shared.
A worm spreads automatically. It exploits vulnerabilities to move across networks without anyone clicking anything. WannaCry was a worm — it used the EternalBlue exploit on SMB port 445 and infected 230,000 systems across 150 countries in a single day without requiring any user interaction.
Understanding this distinction at the mechanism level, not just the definition level, is what makes it stick on exam day.
Social engineering — most breaches start here
Eight attack types: phishing, spear phishing, whaling, vishing, smishing, pretexting, baiting, tailgating.
The one I had not thought carefully about: pretexting. An attacker creates a convincing scenario — "I am the new IT admin, I need your credentials to migrate your account" — and relies on the target's willingness to be helpful. No exploit. No malware. Just a believable story.
Technical defenses cannot stop pretexting. Training is the defense.
Zero Trust — replacing perimeter security
The old model: build a wall around the network, trust everything inside. This failed when remote work and cloud services dissolved the perimeter.
Zero Trust: never trust, always verify. Every access request is authenticated and authorized regardless of source. A device already inside the network is treated as untrusted until it proves otherwise.
Base64 — not encryption
Bandit level 10 reinforced something worth writing about explicitly.
Base64 looks like encrypted data. It is not. It is encoding — converting binary data to ASCII text. Anyone can decode it instantly with one command: base64 --decode.
Attackers use it to make payloads look mysterious in logs and scripts. It is one layer of obfuscation. Once you recognize base64 (padding with = at the end, characters from A-Z a-z 0-9 + /), decoding it takes seconds.
The same is true for ROT13 — rotating letters 13 positions. Not encryption. Not security. Appears in CTF challenges constantly.
Port scanner version 2
Updated the port scanner from Week 1 to display service names alongside port numbers. Changed one output line using a Python dictionary lookup:
common_services = {21: "FTP", 22: "SSH", 80: "HTTP", 443: "HTTPS"}
service = common_services.get(port, "Unknown")
print("[OPEN] Port " + str(port) + " — " + service)
Now instead of "[OPEN] Port 22" it shows "[OPEN] Port 22 — SSH". Small change, meaningfully more useful.
Three tools on GitHub now
Port scanner (v2 with service names), password generator, and log analyzer. All with documentation explaining how they work and what I learned building them. Link on my profile.
Top comments (0)