Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to force administrator logout?

epaalx
Cirrus
Cirrus

‎13-Jul-2020 19:26

Hi Experts,

What's sanctioned method to force administrator logout or end that administrative session - preferable by TMSH/CLI. This is for administrator who login via GUI (httpd) or shell (sshd). [I'm running v12.]

R's, Alex

Labels:
0 Kudos
4 REPLIES 4

Dario_Garrido
MVP
MVP

‎15-Jul-2020 11:15

Hello Alex.

 

There is no forward way to do that.

 

First of all, you can know who IPs are connected to the device checking socket connections to sshd and httpd daemons.

# netstat -tnp | grep -e httpd -e sshd tcp 0 0 192.168.102.41:22 192.168.102.42:55842 ESTABLISHED 18486/sshd tcp 0 0 192.168.102.41:22 10.90.81.144:61965 ESTABLISHED 16290/sshd tcp 0 0 ::ffff:192.168.102.41:443 ::ffff:10.90.81.144:53589 ESTABLISHED 9097/httpd

Usernames connected through SSH can be checked by 'who'.

# who root pts/0 2020-07-15 19:46 (10.90.81.144) admin pts/1 2020-07-15 19:38 (192.168.102.42)

Both systems (SSH/HTTP) usernames connected could be also checked using audit logs by IP.

# cat /var/log/audit | grep 10.90.81.144 Jul 15 19:07:32 kang notice httpd[9098]: 01070417:5: AUDIT - user Administrador - RAW: httpd(mod_auth_pam): user=Administrador(Administrador) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:32 2020". Jul 15 19:07:58 kang info sshd(pam_audit)[16293]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020" end="Wed Jul 15 19:07:58 2020". Jul 15 19:07:58 kang info sshd(pam_audit)[16290]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020". Jul 15 19:08:49 kang info sshd(pam_audit)[16387]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020" end="Wed Jul 15 19:08:49 2020". Jul 15 19:08:49 kang info sshd(pam_audit)[16384]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020".

After this introduction, let move on your question.

 

One way to force users to not interact with one specific device is to restrict access to one source IP (or range) for both daemons (sshd/httpd).

tmsh modify sys httpd allow replace-all-with { 192.168.102.0/255.255.255.0 } tmsh modify sys sshd allow replace-all-with { 192.168.102.0/255.255.255.0 } tmsh list sys httpd allow tmsh list sys sshd allow tmsh save sys config

After that, those users trying to access GUI will get a message indicating that access is forbidden.

 

In case of SSH users, they have to be forced to disconnect their sessions manually. To do so, you can kill their connections.

who netstat -tnp | grep sshd kill -9 <PID>

You can reestablish normal access using these commands.

tmsh modify sys httpd allow replace-all-with { All } tmsh modify sys sshd allow replace-all-with { All } tmsh list sys httpd allow tmsh list sys sshd allow tmsh save sys config

Regards,

Dario.

Regards,
Dario.

epaalx
Cirrus
Cirrus

‎15-Jul-2020 18:21

Hi Dario,

thank you for taking time and effort to provide complete answer. I erred by excluding critical proviso in my question - I should have written "How to force graceful administrator logout?"

My issue is when a fellow administrator is adamant that he logged-out, yet, I don't see "end=" message in SYSLOG or /var/log/audit .

Every enterprise-grade device has a means to force (graceful) administrator logout - for instance, in FortiOS, "execute disconnect-admin-session". Is it unreasonable to expect same in BIG-IP?

R's, Alex

PS. "Usernames connected through SSH can be checked by 'who'." - I believe F5-sanctioned method is "w" command.

 

 

0 Kudos

Dario_Garrido
MVP
MVP
In response to epaalx

‎15-Jul-2020 18:55

Hello Alex.

 

I know want you mean, but this feature it doesn't exists in F5.

 

Take into account that using a F5 is like using linux. In case of FortiOS you have a closed enviroment that allows you to get this type of features.

 

Anyway, restricting httpd source IP is not less aggressive than using "execute disconnect-admin-session"

 

PS. both commands exist in F5 ('who' and 'w'), use whatever you prefer.

 

Regards,

Dario.

Regards,
Dario.

epaalx
Cirrus
Cirrus

‎06-Apr-2021 10:39

Directory "/var/run/pamcache/" contains files pertaining to current administrative TMUI (GUI) logins. It's sufficient to delete the file to force logout.

 

I've submitted feature request for TMSH command for both TMSH and SSH logins.

 

0 Kudos
Copyright © 2022 Khoros, LLC