13-Jul-2020 19:26
Hi Experts,
What's sanctioned method to force administrator logout or end that administrative session - preferable by TMSH/CLI. This is for administrator who login via GUI (httpd) or shell (sshd). [I'm running v12.]
R's, Alex
15-Jul-2020 11:15
Hello Alex.
There is no forward way to do that.
First of all, you can know who IPs are connected to the device checking socket connections to sshd and httpd daemons.
# netstat -tnp | grep -e httpd -e sshd
tcp 0 0 192.168.102.41:22 192.168.102.42:55842 ESTABLISHED 18486/sshd
tcp 0 0 192.168.102.41:22 10.90.81.144:61965 ESTABLISHED 16290/sshd
tcp 0 0 ::ffff:192.168.102.41:443 ::ffff:10.90.81.144:53589 ESTABLISHED 9097/httpd
Usernames connected through SSH can be checked by 'who'.
# who
root pts/0 2020-07-15 19:46 (10.90.81.144)
admin pts/1 2020-07-15 19:38 (192.168.102.42)
Both systems (SSH/HTTP) usernames connected could be also checked using audit logs by IP.
# cat /var/log/audit | grep 10.90.81.144
Jul 15 19:07:32 kang notice httpd[9098]: 01070417:5: AUDIT - user Administrador - RAW: httpd(mod_auth_pam): user=Administrador(Administrador) partition=[All] level=Administrator tty=/usr/bin/tmsh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:32 2020".
Jul 15 19:07:58 kang info sshd(pam_audit)[16293]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020" end="Wed Jul 15 19:07:58 2020".
Jul 15 19:07:58 kang info sshd(pam_audit)[16290]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:07:58 2020".
Jul 15 19:08:49 kang info sshd(pam_audit)[16387]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020" end="Wed Jul 15 19:08:49 2020".
Jul 15 19:08:49 kang info sshd(pam_audit)[16384]: 01070417:6: AUDIT - user admin - RAW: sshd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=ssh host=10.90.81.144 attempts=1 start="Wed Jul 15 19:08:49 2020".
After this introduction, let move on your question.
One way to force users to not interact with one specific device is to restrict access to one source IP (or range) for both daemons (sshd/httpd).
tmsh modify sys httpd allow replace-all-with { 192.168.102.0/255.255.255.0 }
tmsh modify sys sshd allow replace-all-with { 192.168.102.0/255.255.255.0 }
tmsh list sys httpd allow
tmsh list sys sshd allow
tmsh save sys config
After that, those users trying to access GUI will get a message indicating that access is forbidden.
In case of SSH users, they have to be forced to disconnect their sessions manually. To do so, you can kill their connections.
who
netstat -tnp | grep sshd
kill -9 <PID>
You can reestablish normal access using these commands.
tmsh modify sys httpd allow replace-all-with { All }
tmsh modify sys sshd allow replace-all-with { All }
tmsh list sys httpd allow
tmsh list sys sshd allow
tmsh save sys config
Regards,
Dario.
15-Jul-2020 18:21
Hi Dario,
thank you for taking time and effort to provide complete answer. I erred by excluding critical proviso in my question - I should have written "How to force graceful administrator logout?"
My issue is when a fellow administrator is adamant that he logged-out, yet, I don't see "end=" message in SYSLOG or /var/log/audit .
Every enterprise-grade device has a means to force (graceful) administrator logout - for instance, in FortiOS, "execute disconnect-admin-session". Is it unreasonable to expect same in BIG-IP?
R's, Alex
PS. "Usernames connected through SSH can be checked by 'who'." - I believe F5-sanctioned method is "w" command.
15-Jul-2020 18:55
Hello Alex.
I know want you mean, but this feature it doesn't exists in F5.
Take into account that using a F5 is like using linux. In case of FortiOS you have a closed enviroment that allows you to get this type of features.
Anyway, restricting httpd source IP is not less aggressive than using "execute disconnect-admin-session"
PS. both commands exist in F5 ('who' and 'w'), use whatever you prefer.
Regards,
Dario.
06-Apr-2021 10:39
Directory "/var/run/pamcache/" contains files pertaining to current administrative TMUI (GUI) logins. It's sufficient to delete the file to force logout.
I've submitted feature request for TMSH command for both TMSH and SSH logins.