|
|
Any chance that one of your client certs was built on a template that used the root email address? I'd look over any log files for other systems that VPN users have access to after they connect - look for activity that corresponds time-wise to the VPN log entries for root and see if there is any additional information as to who is logging on. You might also consider blocking the external IP that the connecting client is using until you've got a better idea what's going on. I had an issue like this a while back where my certs were based on machine names and not the users - all users for a given computer had the same local logon credentials (bad, I know, but necessary in this particular case). Prior to introducing user auth via RADIUS, I could never really tell who was logged onto the VPN, only which computer was connecting. To make matters worse, I was using a template (xca) for my certs and left the same email address in there for a number of certs. It didn't matter when the certs were based on the machine name but as soon as I went over to the user name, I started noticing "odd log entries". There in fact was nothing wrong with the entries - it was my client certs that were the culprit. Once I added RADIUS auth, users had to log on to the VPN w/ their unique credentials and I could see who was connecting, even if the cert had weird information. An added bonus to the RADIUS auth was that I could then troubleshoot what certs had the bad info and re-issue them. My 2 cents...hope this is all that is wrong in your case. - Nd On Wed, 14 Nov 2007 20:24:42 -0500 JJB <onephatcat@xxxxxxxxxxxxx> wrote: >Ralf Hildebrandt wrote: >> * JJB <onephatcat@xxxxxxxxxxxxx>: >> >>> Hello >>> >>> I'm getting these errors as if our firewall/openvpn server is >logging >>> into itself. Is this normal? Have sanitized the error (ip >address, org >>> name, etc.) >>> >>> Nov 7 15:19:47 aa-gateway openvpn[3945]: xxx.xxx.xxx.xxx:61518 >VERIFY >>> OK: depth=1, >>> /C=US/ST=CA/L=Location/O=Name_Of_Org/CN=OpenVPN- >CA/emailAddress=root@xxxxxxxxxxxxxx >>> >> >> I don't see an error. >> I see an "OK >Hi Ralph, thanks for responding, > >It isn't an error, its an ok for user "root" to log in. > >Most of the OpenVPN log messages have usernames like >user@xxxxxxxxxxxxxx, not root: > >jvv/74.61.97.235:1159 VERIFY OK: depth=0, >/C=US/ST=CA/O=Name_Of_Org/CN=jvv/emailAddress=jvv@xxxxxxxxxxxxxx > >Why would there be a log message for root@xxxxxxxxxxxxxx? Is this >evidence of someone gaining unauthorized access? > > - Joel > > > >------------------------------------------------------------------- >------ >This SF.net email is sponsored by: Splunk Inc. >Still grepping through log files to find problems? Stop. >Now Search log events and configuration files using AJAX and a >browser. >Download your FREE copy of Splunk now >> http://get.splunk.com/ >_______________________________________________ >Openvpn-users mailing list >Openvpn-users@xxxxxxxxxxxxxxxxxxxxx >https://lists.sourceforge.net/lists/listinfo/openvpn-users -- Click here for free information on earning a criminal justice degree today. http://tagline.hushmail.com/fc/Ioyw6h4eSljpO2cmMfiTkZw2Q8txwRJ1xneZLRIsE3OrAj53cxMoSt/ ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |