For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

coriolis_75734's avatar
coriolis_75734
Icon for Nimbostratus rankNimbostratus
Mar 09, 2015

Kill all sessions for a user via API

We are using LTM/APM 11.5.1 and would like to be able to get all the session ids for a particular user and kill them (or at least dead-end their traffic). I know we can do this via the GUI but am looking for ways this can be automated if it is detected the account is compromised. Is it possible via REST?

 

BIG-IP Access Policy Manager (APM)
devops
iControl
iControlREST
security
TMSH

3 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2015

    How about eliminate this issue, by restricting the users to limited sessions using "Max Sessions Per User"?

    On cli 

    sessiondump -allkeys
    can be used to filter the session id belong to a particular user and pipe to delete it. But that is resource intensive.

    An extreme option is to delete all sessions something like:

    sessiondump -list | awk '{ print $1}' | xargs -L 1 sessiondump -delete'

  • coriolis_75734's avatar
    coriolis_75734
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2015

    Limiting the max number of sessions per user wouldn't help in the situation where a user account has been compromised and being used by an unauthorised third party.

     

    We do not wish to kill all sessions and ideally I'm looking for a solution where I can give the operations team a script to run which just requires a username input and the specified user's sessions will be killed.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2015

    A shell script like following:

    sessiondump -allkeys | grep $1 | cut -d. -f1 | xargs -L 1 sessiondump -delete

    .. and call like 

    ./removeUser.sh user1