Forums

Resolved
0 votes
im looking for suspicious activity in October and in the logs i have seen this can someone tell me weather this is normal or suspicious

Oct 13 11:59:41 server pluto[1764]: adding interface tun1/tun1 10.8.10.1:4500
Oct 13 11:59:41 server pluto[1764]: adding interface tun0/tun0 10.8.0.1:500
Oct 13 11:59:41 server pluto[1764]: adding interface tun0/tun0 10.8.0.1:4500
Friday, January 29 2016, 10:34 AM
Share this post:
Responses (7)
  • Accepted Answer

    Friday, January 29 2016, 07:03 PM - #Permalink
    Resolved
    0 votes
    thanks i think there's enough for me to do here.... u been a great help
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 29 2016, 04:50 PM - #Permalink
    Resolved
    0 votes
    Is there any configuration of ipsec? That does not need user authentication.

    Also have a look in /etc/pki/CA for any client*.p12 or client*.pem in case the OpenVPN certificates have been left behind.

    The other thing you can try, and if you have a lot of free disk space my have a chance of success, is to try some file undelete tools to recover the old log files - which are kept for the current week plus four further weeks by default. You may need to take ClearOS down for this and boot the server of a special file recovery disk.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 29 2016, 04:33 PM - #Permalink
    Resolved
    0 votes
    yes they were running but not intentionally.
    there were no users adder as able to use it

    im just wondering is there a way to see who accessed the internet on that date?

    the only thing we can think how this happend was by a remote access trojan they gained access to the network after hours and did the transfers

    but i cant find a way for any logs going that far back
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 29 2016, 03:51 PM - #Permalink
    Resolved
    0 votes
    It looks like you have both openvpn and ipsec configured. From memory, go to the openvpn webconfig and you should be able to see who has access permissions. IPsec is not so easy. You'll need to look at /etc/ipsec.conf and the included files and you may be able to see the external IP which has access, but not the user.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 29 2016, 03:17 PM - #Permalink
    Resolved
    0 votes
    i dont have any VPN running this system is just a file server and a internet gateway. on the 23rd of october 2015 someone entered the network and stole 18 thousand pounds by accessing one of the computers when there was no one in the office , transferring 18k from the business online banking.

    we know there was no one in the building at this time 19:30 but the transfer came from the office IP address. so i am trying to find some sort of log showing how this happend. but the normal logs don't go this far back
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 29 2016, 01:49 PM - #Permalink
    Resolved
    0 votes
    I've checked my system further and they look OK. "pluto" is the process for IPsec VPN's. When pluto/IPsec starts it sets itself to listen on ports 500 and 4500 for every interface (internal, external, OpenVPN, loopback and so on). You may be able to override it in ipsec.conf by setting the "listen" parameter in "config setup" but I'm not sure. Also if you have a dynamic IP you certainly won't want to do that.

    If it helps, I've just restarted IPsec and this is my section of the log:
    Jan 29 13:40:16 server pluto[31541]: adding interface tun1/tun1 10.8.10.1:500
    Jan 29 13:40:16 server pluto[31541]: adding interface tun1/tun1 10.8.10.1:4500
    Jan 29 13:40:16 server pluto[31541]: adding interface tun0/tun0 172.17.3.1:500
    Jan 29 13:40:16 server pluto[31541]: adding interface tun0/tun0 172.17.3.1:4500
    Jan 29 13:40:16 server pluto[31541]: adding interface eth1/eth1 172.17.2.1:500
    Jan 29 13:40:16 server pluto[31541]: adding interface eth1/eth1 172.17.2.1:4500
    Jan 29 13:40:16 server pluto[31541]: adding interface eth0/eth0 82.19.158.192:500
    Jan 29 13:40:16 server pluto[31541]: adding interface eth0/eth0 82.19.158.192:4500
    Jan 29 13:40:16 server pluto[31541]: adding interface lo/lo 127.0.0.1:500
    Jan 29 13:40:16 server pluto[31541]: adding interface lo/lo 127.0.0.1:4500
    Note I moved my tun0 address to 172.17.3.1 from the normal 10.8.0.1.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 29 2016, 12:18 PM - #Permalink
    Resolved
    0 votes
    These are your OpenVPN interfaces but I don't see why they are listening on ports 500 and 4500 which are normally IPsec ports. What is the contents of the /etc/openvpn/clients*.conf? Also are you running ibVPN or any other commercial VPN connections?
    The reply is currently minimized Show
Your Reply