2

I have an issue with users abusing the server resources and connections.

I have a server with access to several users. one of them is performing network scans abusing the network.

I tried using tcpdump but with no luck as i don't know how to be searching for the right information,all i have is the analysis from the data center.

I have also tried spotting the traffic via iftop and syslog.

Can you help ?

Vitalik Jimbei
  • 379
  • 2
  • 7
  • 19
  • Please, explain me. Users from server abuse network with scan's or ? – 2707974 Oct 30 '15 at 09:27
  • have a corporate VPN configured.the logs on it does not provide much info.

    now i get abuse notices from data center due to network scans.

    they provide the exit port from my server and the local IP and port of the device attacked/scanned

    how to spot this user ?

     – Vitalik Jimbei Oct 30 '15 at 09:31
  • your vpn user from your server scans network? User connect to your vpn server and run scan from server? – 2707974 Oct 30 '15 at 09:40
  • yes, you are correct – Vitalik Jimbei Oct 30 '15 at 09:51

1 Answers1

1

With command, if you use pptp server

last |grep ppp

will see, something like this

xxxxx1   ppp0         xxx.xxx.xx.5     Fri Oct 30 11:19   still logged in   
xxxxx1   ppp0         xxx.xxx.xx.5     Fri Oct 30 11:18 - 11:19  (00:00)    
xxxxx1   ppp0         xxx.xxx.xx.5     Fri Oct 30 11:17 - 11:18  (00:01)    
xxxxx    ppp0         xxx.xxx.xx.6     Fri Oct 30 11:13 - 11:16  (00:03)    
xxxxx    ppp0         xxx.xxx.xx.6     Wed Oct  7 12:37 - 12:50  (00:13)    
xxxxx    ppp0         xxx.xxx.xx.6     Wed Oct  7 12:34 - 12:35  (00:01)

pptp user. connection duration also start and end. Based on time of abuse you can compare time of vpn connection and find vpn user. I guess, one person use one vpn user.

You can add fixed ip address per vpn user and after that monitoring traffic with iptables Very nice example to set ip accounting you have here

2707974
  • 10,758