im looking for suspicious activity in October and in the logs i have seen this can someone tell me weather this is normal or suspicious
Oct 13 11:59:41 server pluto[1764]: adding interface tun1/tun1 10.8.10.1:4500
Oct 13 11:59:41 server pluto[1764]: adding interface tun0/tun0 10.8.0.1:500
Oct 13 11:59:41 server pluto[1764]: adding interface tun0/tun0 10.8.0.1:4500
Share this post:
Responses (7)
-
Accepted Answer
-
Accepted Answer
Is there any configuration of ipsec? That does not need user authentication.
Also have a look in /etc/pki/CA for any client*.p12 or client*.pem in case the OpenVPN certificates have been left behind.
The other thing you can try, and if you have a lot of free disk space my have a chance of success, is to try some file undelete tools to recover the old log files - which are kept for the current week plus four further weeks by default. You may need to take ClearOS down for this and boot the server of a special file recovery disk. -
Accepted Answer
yes they were running but not intentionally.
there were no users adder as able to use it
im just wondering is there a way to see who accessed the internet on that date?
the only thing we can think how this happend was by a remote access trojan they gained access to the network after hours and did the transfers
but i cant find a way for any logs going that far back -
Accepted Answer
It looks like you have both openvpn and ipsec configured. From memory, go to the openvpn webconfig and you should be able to see who has access permissions. IPsec is not so easy. You'll need to look at /etc/ipsec.conf and the included files and you may be able to see the external IP which has access, but not the user. -
Accepted Answer
i dont have any VPN running this system is just a file server and a internet gateway. on the 23rd of october 2015 someone entered the network and stole 18 thousand pounds by accessing one of the computers when there was no one in the office , transferring 18k from the business online banking.
we know there was no one in the building at this time 19:30 but the transfer came from the office IP address. so i am trying to find some sort of log showing how this happend. but the normal logs don't go this far back -
Accepted Answer
I've checked my system further and they look OK. "pluto" is the process for IPsec VPN's. When pluto/IPsec starts it sets itself to listen on ports 500 and 4500 for every interface (internal, external, OpenVPN, loopback and so on). You may be able to override it in ipsec.conf by setting the "listen" parameter in "config setup" but I'm not sure. Also if you have a dynamic IP you certainly won't want to do that.
If it helps, I've just restarted IPsec and this is my section of the log:
Note I moved my tun0 address to 172.17.3.1 from the normal 10.8.0.1.Jan 29 13:40:16 server pluto[31541]: adding interface tun1/tun1 10.8.10.1:500
Jan 29 13:40:16 server pluto[31541]: adding interface tun1/tun1 10.8.10.1:4500
Jan 29 13:40:16 server pluto[31541]: adding interface tun0/tun0 172.17.3.1:500
Jan 29 13:40:16 server pluto[31541]: adding interface tun0/tun0 172.17.3.1:4500
Jan 29 13:40:16 server pluto[31541]: adding interface eth1/eth1 172.17.2.1:500
Jan 29 13:40:16 server pluto[31541]: adding interface eth1/eth1 172.17.2.1:4500
Jan 29 13:40:16 server pluto[31541]: adding interface eth0/eth0 82.19.158.192:500
Jan 29 13:40:16 server pluto[31541]: adding interface eth0/eth0 82.19.158.192:4500
Jan 29 13:40:16 server pluto[31541]: adding interface lo/lo 127.0.0.1:500
Jan 29 13:40:16 server pluto[31541]: adding interface lo/lo 127.0.0.1:4500 -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »