Monitoring VPN users

[Dalay]

I've been searching the web for a while for a brief explanation on setting up a decent user log system.
So far I am able to understand the principles behind setting up a proxy server for this, but my attempts have failed due to lack of combining things to work perfectly together.

We need to protect Our services against misuse .
And a step by step tutorial on this subject would be so helpful for many people, including me.

How can we catch the outgoing traffic and log it. Which software, and even how to set things up properly.

Your help is much appreciated.

Thank You

[Bebop]

Is your server Linux based?

I can't give you an entire guide, but I can show you a starting point.

First install 'tcpdump' via apt-get (debian) or yum install (centos).

Then:

Code: Select all

nohup tcpdump -i tun0 'tcp[tcpflags] & (tcp-syn) != 0' -K -q -C 2 -W 20 -w /etc/openvpn/log/tcp.log &

The above command will start a tcpdump session as a background service. The output file will be in pcap format, so you can use Wireshark or tcpdump to analyze the log.

The tcpdump command filters can be quite complex, and allow you to capture specific activity. For the above, it will capture TCP connection requests ( tcp[tcpflags] & (tcp-syn) ) so you can see which sites/ip-addresses/ports are being accessed. The advantage of this is that it keeps the log size small. If you receive abuse complaints, this 'should' be a sufficient amount of logging to link the complaint to a specific user (if you log which user has which lan ip.. that will be a separate task -- using client-connect script).

If you require full TCP logging for purposes of deeper packet inspection etc, you will have to look up the man page for tcpdump, and change some of the flags.

[Dalay]

Thank You for the reply

The command I'm using is below ;
# nohup tcpdump -i tun0 'tcp[tcpflags] & (tcp-syn) != 0' -K -q -C 2 -W 20 -w /root/vpnlog/tcp.log

Returns ;
# nohup: appending output to `nohup.out'

But the tcp.log file is empty.

However ,
#tcpdump
with no additional parameters are working fine.
I think I'm unable to log it

[Bebop]

# nohup tcpdump -i tun0 'tcp[tcpflags] & (tcp-syn) != 0' -K -q -C 2 -W 20 -w /root/vpnlog/tcp.log

What did you do with the ' & ' ?

It should not be omitted.

[Dalay]

It was a typo. I followed Your advise but no data in log file.
Then I tried with
#tcpdump -w capture.log
and the capture.log was around 40mb. only after 2 mins.
Too much to analyze.

Still, You gave me a right starting point.
I'll pull my hair for few days, but, at the end I'll make it happen.

Will post the results when I'm done.

Thank You

[Bebop]

The purpose of nohup is to daemonize tcpdump. If its causing a problem, you can avoid nohup, by instead using 'screen'.
So, start a new terminal screen, run the tcpdump command in the new screen (minus the nohup and &). Then when you close the screen, tcpdump will still be active. It wont persist a system restart though, so its best to stick with nohup in that case.

[Bebop]

My nohup throws the message: " nohup: ignoring input and appending output to `nohup.out'"

but from what I can gather from Google, its not a problem. Just press ctrl+C. Your terminal will come back, and tcpdump will be in the background.

The stuff in nohup.out will be like this:

Code: Select all

tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
tcpdump: pcap_loop: The interface went down

But thats not info we are interested in. You tcp.log file will still be pcap data. If the tcp.log file is empty, you need to check the flags of the tcpdump command. Are you sure the VPN is on tun0? Maybe its venet0 or tun1. These are the things that should determine successful outcome in this scenario.