Skip to content

Ronit-k/CS253_AutomatedIntrusionDetectionSystem

BranchesTags

Repository files navigation

🛡️ Automated Intrusion Detection System (IDS)

CS253 — Software Development and Operations | Assignment 2: Shell Scripting
Indian Institute of Technology Kanpur | February 2026

📋 Overview

A shell-based Intrusion Detection System that analyzes Linux server authentication logs to identify brute-force attackers and generate firewall rules to block them. The system processes raw log files through a 4-stage pipeline:

  1. Sanitize → Clean and normalize raw logs
  2. Detect → Identify brute-force attackers and generate firewall blocking rules
  3. Report → Generate a port-targeted attack summary dashboard
  4. Timeline → Analyze hourly attack patterns for threat intelligence

📁 Project Structure

CS253_AutomatedIntrusionDetectionSystem/
├── auth.log              # Raw server authentication log (input)
├── whitelist.txt          # Trusted IPs that should never be banned (input)
├── sanitize.sh            # Task 1: Log sanitizer
├── detect.sh              # Task 2: Brute-force detector
├── report.sh              # Task 3: Port analysis dashboard
├── timeline.sh            # Task 4: Threat timeline analyzer
├── clean_log.csv          # Sanitized log output (generated)
├── firewall_rules.sh      # Firewall rules output (generated)
├── ProblemStatement.pdf   # Assignment specification
└── README.md              # This file

🚀 Usage

Prerequisites

  • Bash (v4.0+)
  • Standard Unix utilities: sed, awk, grep, sort

Step-by-Step Execution

Task 1: Sanitize the Raw Log

bash sanitize.sh auth.log

What it does:

# Operation Method
1 Remove lines containing [CORRUPT-DATA] sed deletion
2 Anonymize user=root and user=adminuser=SYS_ADMIN sed substitution
3 Convert all pipe (|) delimiters to commas (,) sed substitution

Output: clean_log.csv

Task 2: Detect Brute-Force Attackers

bash detect.sh clean_log.csv whitelist.txt firewall_rules.sh

What it does:

  1. Parses clean_log.csv to count "Failed password" events per unique IP (using awk)
  2. Filters IPs with strictly more than 10 failed attempts
  3. Cross-references each suspect IP against whitelist.txt using a manual shell loop (no grep -f, comm, or diff)
  4. Generates iptables blocking rules for non-whitelisted attackers

Output: firewall_rules.sh — each line in the format:

iptables -A INPUT -s <IP_ADDRESS> -j DROP # Blocked after <COUNT> failed attempts

Task 3: Port Analysis Report

bash report.sh clean_log.csv

What it does:

  • Aggregates all "Failed password" events by target port
  • Prints a formatted summary table to stdout

Sample Output:

Target Port Analysis
-------------------
Port 22   : 23 attempts
Port 443  : 3 attempts
Port 8080 : 15 attempts

Task 4: Threat Timeline

bash timeline.sh clean_log.csv

What it does:

  • Extracts the 2-digit hour from each "Failed password" event timestamp
  • Aggregates failed attempts by hour (00–23)
  • Prints results in ascending order

Sample Output:

Hour 09: 21 failed attempts
Hour 10: 9 failed attempts
Hour 11: 11 failed attempts

🔧 Technical Details

Tools & Techniques Used

Tool Purpose
sed Text transformation — deletion, substitution, delimiter normalization
awk Field-based parsing, filtering, aggregation, and counting
sort Numeric sorting for port and hour ordering
Shell loops (while, for) Manual whitelist cross-referencing (per assignment constraint)
Arrays (WHITELIST_IPS) In-memory whitelist storage for O(n×m) manual comparison

Key Design Decisions

  • Cross-platform compatibility: All scripts strip \r (carriage returns) to handle Windows-style line endings in input files.
  • No gawk-specific features: Avoided asorti() and other GNU awk extensions to ensure portability with mawk.
  • Manual whitelist check: The assignment explicitly prohibits grep -f, comm, and diff. The whitelist is loaded into a Bash array, and each suspect IP is checked with a nested for loop.
  • Threshold logic: Only IPs with strictly more than 10 failed attempts (> 10, not >= 10) are flagged.

Input File Format

auth.log — raw authentication log entries with mixed delimiters:

2026-02-18 09:00:01, ip=192.168.1.100, user=root, status=Failed password, port=22
2026-02-18 09:00:02| ip=192.168.1.100| user=root| status=Failed password| port=22
[CORRUPT-DATA] 0x89234 garbage binary data

whitelist.txt — one trusted IP per line:

10.0.0.5
192.168.1.50

📊 Example Run (Full Pipeline)

# Step 1: Clean the log
bash sanitize.sh auth.log

# Step 2: Detect attackers and generate firewall rules
bash detect.sh clean_log.csv whitelist.txt firewall_rules.sh

# Step 3: View port analysis
bash report.sh clean_log.csv

# Step 4: View hourly threat timeline
bash timeline.sh clean_log.csv

# (Optional) View generated firewall rules
cat firewall_rules.sh

Expected firewall_rules.sh with the provided auth.log:

iptables -A INPUT -s 192.168.1.100 -j DROP # Blocked after 12 failed attempts
iptables -A INPUT -s 45.33.22.11 -j DROP # Blocked after 11 failed attempts

Note: 10.0.0.5 has 15 failed attempts but is whitelisted, so it is excluded. 172.16.0.20 has only 3 failed attempts, which is below the threshold of 10.

📝 License

This project is an academic assignment for CS253 at IIT Kanpur.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages