logging outgoing connection IP with tcpdump / any alternative
I am receiving a lot of abuse reports at my sg location, I am here seeking advice(read: help) from the LES Scholars committee.
some VPS Containers are assigned internal ip's with a NAT'ed connection to the outside IPv4 world via a single shared public IPv4.
I suspect there are 1-2 sick people who are abusing this shared connection, attacking, attempting to ssh brute-force & port-scan other servers.
So the public ip4 gets listed on blacklists & I receive reports containing affected server details, IP etc,
I'm required to take corrective actions & logging/analysing connections from internal IPs...need some help!
Currently i use tcpdump to log connections & trace the internal origin IP of attack.
tcpdump -n -i venet0 -G 86400 -w %F.cap
daily log size reaches as large as 22GB...
Any changes to tcpdump I could do? a way to reduce the log size..
I only need to log outgoing connections over IPv4, logging the date, source IP & destination IP.
has someone else faced similar situation?....alternatives to tcpdump?...should I use tshark?(how?)
any modifications I can do with the tcpdump command ?
any & all suggestions are very much appreciated.
Thanks for taking your time reading this/helping.