I have an issue with users abusing the server resources and connections.
I have a server with access to several users. one of them is performing network scans abusing the network.
I tried using tcpdump but with no luck as i don't know how to be searching for the right information,all i have is the analysis from the data center.
I have also tried spotting the traffic via iftop and syslog.
Can you help ?
With command, if you use pptp server
last |grep ppp
will see, something like this
xxxxx1 ppp0 xxx.xxx.xx.5 Fri Oct 30 11:19 still logged in
xxxxx1 ppp0 xxx.xxx.xx.5 Fri Oct 30 11:18 - 11:19 (00:00)
xxxxx1 ppp0 xxx.xxx.xx.5 Fri Oct 30 11:17 - 11:18 (00:01)
xxxxx ppp0 xxx.xxx.xx.6 Fri Oct 30 11:13 - 11:16 (00:03)
xxxxx ppp0 xxx.xxx.xx.6 Wed Oct 7 12:37 - 12:50 (00:13)
xxxxx ppp0 xxx.xxx.xx.6 Wed Oct 7 12:34 - 12:35 (00:01)
pptp user. connection duration also start and end. Based on time of abuse you can compare time of vpn connection and find vpn user. I guess, one person use one vpn user.
You can add fixed ip address per vpn user and after that monitoring traffic with iptables Very nice example to set ip accounting you have here
