Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Monitoring IPs connecting to OpenVPN

    Scheduled Pinned Locked Moved
    General pfSense Questions
    1
    1
    382
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daq
      last edited by

      I wrote a simple script to monitor openvpn.log for any new IPs and send a report if one is found. This way I know when a user connects from a new location and can quickly find out if that's a legitimate connection or if account has been compromised.

      Unfortunately my script occasionally misses the first digit from an IP address which creates false alarms and I can't figure out why. Script is below:

      
for IP in $(grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' /var/log/openvpn.log)
do
        if ! grep -Fxq $IP /tmp/knownIPs.txt
        then
                echo New IP detected: $IP
                echo GeoIP: $(/usr/local/bin/php -f /root/geoIdent.php $IP)
                echo User: $(grep -m1 $IP /var/log/openvpn.log | cut -d[ -f3|cut -d] -f1)
                echo $IP >> /tmp/knownIPs.txt
        fi
done

      For example, an IP like 71.160.14.214 will get picked up like 1.160.14.214. One is in California, one is in Taiwan.

      I ran the grep command from the script manually many times and I can never replicate this problem - it consistently picks up the complete IP address.

      Any ideas? Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post