For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

epaalx's avatar
epaalx
Icon for Cirrus rankCirrus
Jul 14, 2020

How to force administrator logout?

Hi Experts, What's sanctioned method to force administrator logout or end that administrative session - preferable by TMSH/CLI. This is for administrator who login via GUI (httpd) or shell (sshd). [...
application delivery
BIG-IP
TMSH
Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Jul 15, 2020

Hello Alex.

There is no forward way to do that.

First of all, you can know who IPs are connected to the device checking socket connections to sshd and httpd daemons.

# netstat -tnp | grep -e httpd -e sshd 
tcp        0      0 192.168.102.41:22           192.168.102.42:55842        ESTABLISHED 18486/sshd
tcp        0      0 192.168.102.41:22           10.90.81.144:61965          ESTABLISHED 16290/sshd
tcp        0      0 ::ffff:192.168.102.41:443   ::ffff:10.90.81.144:53589   ESTABLISHED 9097/httpd

Usernames connected through SSH can be checked by 'who'.

# who
root     pts/0        2020-07-15 19:46 (10.90.81.144)
admin    pts/1        2020-07-15 19:38 (192.168.102.42)

Both systems (SSH/HTTP) usernames connected could be also checked using audit logs by IP.

# cat /var/log/audit | grep 10.90.81.144
Jul 15 19:07:32 kang notice httpd[9098]: 01070417:5: AUDIT - user Administrador - RAW: httpd(mod_auth_pam): user=Administrador(Administrador) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:32 2020".
Jul 15 19:07:58 kang info sshd(pam_audit)[16293]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020" end="Wed Jul 15 19:07:58 2020".
Jul 15 19:07:58 kang info sshd(pam_audit)[16290]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020".
Jul 15 19:08:49 kang info sshd(pam_audit)[16387]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020" end="Wed Jul 15 19:08:49 2020".
Jul 15 19:08:49 kang info sshd(pam_audit)[16384]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020".

After this introduction, let move on your question.

One way to force users to not interact with one specific device is to restrict access to one source IP (or range) for both daemons (sshd/httpd).

tmsh modify sys httpd allow replace-all-with { 192.168.102.0/255.255.255.0 }
tmsh modify sys sshd allow replace-all-with { 192.168.102.0/255.255.255.0 }
tmsh list sys httpd allow
tmsh list sys sshd allow
tmsh save sys config

After that, those users trying to access GUI will get a message indicating that access is forbidden.

In case of SSH users, they have to be forced to disconnect their sessions manually. To do so, you can kill their connections.

who
netstat -tnp | grep sshd
kill -9 <PID>

You can reestablish normal access using these commands.

tmsh modify sys httpd allow replace-all-with { All }
tmsh modify sys sshd allow replace-all-with { All }
tmsh list sys httpd allow
tmsh list sys sshd allow
tmsh save sys config

Regards,

Dario.