I've been searching the web for a while for a brief explanation on setting up a decent user log system.
So far I am able to understand the principles behind setting up a proxy server for this, but my attempts have failed due to lack of combining things to work perfectly together.
We need to protect Our services against misuse .
And a step by step tutorial on this subject would be so helpful for many people, including me.
How can we catch the outgoing traffic and log it. Which software, and even how to set things up properly.
Your help is much appreciated.
Thank You
Monitoring VPN users
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: Monitoring VPN users
Is your server Linux based?
I can't give you an entire guide, but I can show you a starting point.
First install 'tcpdump' via apt-get (debian) or yum install (centos).
Then:
The above command will start a tcpdump session as a background service. The output file will be in pcap format, so you can use Wireshark or tcpdump to analyze the log.
The tcpdump command filters can be quite complex, and allow you to capture specific activity. For the above, it will capture TCP connection requests ( tcp[tcpflags] & (tcp-syn) ) so you can see which sites/ip-addresses/ports are being accessed. The advantage of this is that it keeps the log size small. If you receive abuse complaints, this 'should' be a sufficient amount of logging to link the complaint to a specific user (if you log which user has which lan ip.. that will be a separate task -- using client-connect script).
If you require full TCP logging for purposes of deeper packet inspection etc, you will have to look up the man page for tcpdump, and change some of the flags.
I can't give you an entire guide, but I can show you a starting point.
First install 'tcpdump' via apt-get (debian) or yum install (centos).
Then:
Code: Select all
nohup tcpdump -i tun0 'tcp[tcpflags] & (tcp-syn) != 0' -K -q -C 2 -W 20 -w /etc/openvpn/log/tcp.log &
The tcpdump command filters can be quite complex, and allow you to capture specific activity. For the above, it will capture TCP connection requests ( tcp[tcpflags] & (tcp-syn) ) so you can see which sites/ip-addresses/ports are being accessed. The advantage of this is that it keeps the log size small. If you receive abuse complaints, this 'should' be a sufficient amount of logging to link the complaint to a specific user (if you log which user has which lan ip.. that will be a separate task -- using client-connect script).
If you require full TCP logging for purposes of deeper packet inspection etc, you will have to look up the man page for tcpdump, and change some of the flags.
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Aug 02, 2011 6:52 pm
Re: Monitoring VPN users
Thank You for the reply
The command I'm using is below ;
# nohup tcpdump -i tun0 'tcp[tcpflags] & (tcp-syn) != 0' -K -q -C 2 -W 20 -w /root/vpnlog/tcp.log
Returns ;
# nohup: appending output to `nohup.out'
But the tcp.log file is empty.
However ,
#tcpdump
with no additional parameters are working fine.
I think I'm unable to log it
The command I'm using is below ;
# nohup tcpdump -i tun0 'tcp[tcpflags] & (tcp-syn) != 0' -K -q -C 2 -W 20 -w /root/vpnlog/tcp.log
Returns ;
# nohup: appending output to `nohup.out'
But the tcp.log file is empty.
However ,
#tcpdump
with no additional parameters are working fine.
I think I'm unable to log it
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: Monitoring VPN users
What did you do with the ' & ' ?Dalay wrote: # nohup tcpdump -i tun0 'tcp[tcpflags] & (tcp-syn) != 0' -K -q -C 2 -W 20 -w /root/vpnlog/tcp.log
It should not be omitted.
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Aug 02, 2011 6:52 pm
Re: Monitoring VPN users
It was a typo. I followed Your advise but no data in log file.
Then I tried with
#tcpdump -w capture.log
and the capture.log was around 40mb. only after 2 mins.
Too much to analyze.
Still, You gave me a right starting point.
I'll pull my hair for few days, but, at the end I'll make it happen.
Will post the results when I'm done.
Thank You
Then I tried with
#tcpdump -w capture.log
and the capture.log was around 40mb. only after 2 mins.
Too much to analyze.
Still, You gave me a right starting point.
I'll pull my hair for few days, but, at the end I'll make it happen.
Will post the results when I'm done.
Thank You
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: Monitoring VPN users
The purpose of nohup is to daemonize tcpdump. If its causing a problem, you can avoid nohup, by instead using 'screen'.
So, start a new terminal screen, run the tcpdump command in the new screen (minus the nohup and &). Then when you close the screen, tcpdump will still be active. It wont persist a system restart though, so its best to stick with nohup in that case.
So, start a new terminal screen, run the tcpdump command in the new screen (minus the nohup and &). Then when you close the screen, tcpdump will still be active. It wont persist a system restart though, so its best to stick with nohup in that case.
The cure for boredom is curiosity
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: Monitoring VPN users
My nohup throws the message: " nohup: ignoring input and appending output to `nohup.out'"
but from what I can gather from Google, its not a problem. Just press ctrl+C. Your terminal will come back, and tcpdump will be in the background.
The stuff in nohup.out will be like this:
But thats not info we are interested in. You tcp.log file will still be pcap data. If the tcp.log file is empty, you need to check the flags of the tcpdump command. Are you sure the VPN is on tun0? Maybe its venet0 or tun1. These are the things that should determine successful outcome in this scenario.
but from what I can gather from Google, its not a problem. Just press ctrl+C. Your terminal will come back, and tcpdump will be in the background.
The stuff in nohup.out will be like this:
Code: Select all
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
tcpdump: pcap_loop: The interface went down
The cure for boredom is curiosity