Monitoring IPs connecting to OpenVPN



  • I wrote a simple script to monitor openvpn.log for any new IPs and send a report if one is found. This way I know when a user connects from a new location and can quickly find out if that's a legitimate connection or if account has been compromised.

    Unfortunately my script occasionally misses the first digit from an IP address which creates false alarms and I can't figure out why. Script is below:

    
    for IP in $(grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' /var/log/openvpn.log)
    do
            if ! grep -Fxq $IP /tmp/knownIPs.txt
            then
                    echo New IP detected: $IP
                    echo GeoIP: $(/usr/local/bin/php -f /root/geoIdent.php $IP)
                    echo User: $(grep -m1 $IP /var/log/openvpn.log | cut -d[ -f3|cut -d] -f1)
                    echo $IP >> /tmp/knownIPs.txt
            fi
    done
    
    

    For example, an IP like 71.160.14.214 will get picked up like 1.160.14.214. One is in California, one is in Taiwan.

    I ran the grep command from the script manually many times and I can never replicate this problem - it consistently picks up the complete IP address.

    Any ideas? Thanks!


Log in to reply