Soldato
- Joined
- 22 Oct 2004
- Posts
- 9,086
- Location
- Berkland
Ok, so I have a single port opened up on my router to allow my OpenVPN setup in. On the router I have the syslog events forwarded on to my syslog server that chucks alerts for when their are incoming connections on that port, thus knowing when I am logging in to OpenVPN via the initial connection, then via a successfully authentication, and if I'm SSH'ing onto the box, then via an alert for that as well.
The first day I setup the alert processing, I got an alert, then it was quiet for a long time until last night when a few alerts came in from someone connecting on the port, but I never got the successful authentication notification, so the connection didn't convert (which is good!).
When I get the alerts, if Im not super busy I always go and whois the IP to find out if its the Chinese or the Russians, and then if I'm super curious, I will do a nmap on them. I'm thinking of maybe automating this with a bash script to email me a report after the event.
So what do other do when this happens? Should I run some other tool to scan the scanner?
The first day I setup the alert processing, I got an alert, then it was quiet for a long time until last night when a few alerts came in from someone connecting on the port, but I never got the successful authentication notification, so the connection didn't convert (which is good!).
When I get the alerts, if Im not super busy I always go and whois the IP to find out if its the Chinese or the Russians, and then if I'm super curious, I will do a nmap on them. I'm thinking of maybe automating this with a bash script to email me a report after the event.
So what do other do when this happens? Should I run some other tool to scan the scanner?
