Re: Auto Logout Idle Users
On Fri, 15 Oct 2010 16:28:51 +0200 Benny LC6fgren bl-li...@lofgren.biz wrote: On 2010-10-15 00.59, Brad Tilley wrote: On 10/14/2010 06:45 PM, Ben Niccum wrote: I thought about doing that too. I need to test it more to see what happens when ksh is the shell and the user executes csh manually. I suppose ksh will still honor TMOUT in that case. Brad Don't mean to complicate things for you, but just thought I should mention that if the user does: # exec /bin/csh Then csh takes over ksh's active process, and even though the TMOUT variable is still there, csh doesn't honor it, and ksh is no longer around to object. -Ben Great point. That's precisely the sort of thing I'd like to have thought about. Much of the compliance efforts may look good on paper, but have no impact on actual usage or may be trivially circumvented as you point out. So while disabling a shell may get a check mark during PCI compliance efforts, that may be all you end up with. You mentioned not wanting to use anything not in base. How about a simple shell script, using nothing but standard utilities, to regularly monitor logged-in users and kick idle ones out? I whipped something together as an example, se below. (Very slightly tested, use at your own risk :-) ) As an added bonus you can't as a regular user circumvent its watchful eye by exec:ing a different shell or simply by changing the idle timeout value in the current login shell. Regards, /Benny 88888 (cut) #!/bin/ksh # # idlehup -- hang up idle tty connections # --- # # Written on a whim in 2010-10-15 by Benny Lofgren # # benny -at- internetlabbet.se / +46 70 718 11 90 # # Use at your own risk :-) # # Run with nohup (or remove infinite loop at the end # and run with cron) # PROG=$0 if [ $# -ne 1 ] then echo ${PROG}: usage: ${PROG} max_idle_time_in_minutes exit 1 else IDLETIME=`expr $1 + 0` 2/dev/null if [ $? != 0 ] then echo ${PROG}: ERROR: idle time argument must be numeric exit 2 fi if [ ${IDLETIME} -gt 1440 ] then echo ${PROG}: ERROR: idle time must be = 1440 minutes (24 h) exit 3 fi fi getidle() { idletime=$1 who -u | while read user tty mon day time idle rest do # Check each logged-in user for excessive idle times isidle=false case ${idle} in .);; # Active tty, do nothing old)isidle=true;; # Very old, kick them out ??:??)H=`echo $idle | cut -d: -f1` M=`echo $idle | cut -d: -f2` M=`expr $H \* 60 + $M` if [ $M -gt $idletime ] then isidle=true fi ;; esac # Find and eliminate session leader and the rest will follow if [ ${isidle} = true ] then ps -t`echo $tty | sed s/^tty//` -opid,stat | while read pid stat do case $stat in *s*) echo $pid;; # He's the leader, stone him! esac done fi done } while true do PIDS=`getidle ${IDLETIME}` if [ X${PIDS} != X ] then kill -HUP ${PIDS} fi sleep 60 done 88888 (cut) As already said in this thread, there is no way to handle everything. For example, this script does not work when a user connects with ssh without allocating a pseudo-tty. Still, it does not seem to be a problem for the PCI DSS ... -- Stephane Sezer
Re: Multiple VLANs in the same subnet on different Routing Domains
On Thu, 22 Jul 2010 17:15:00 +0100 sslay...@iom.com wrote: I've had no luck Googling this issue so thought I'd ask the experts. Ok we have 4 firewalls providing internet connectivity whose internal interfaces are on a single shared subnet, although the IPs are different. Outbound traffic from the various hosts on this subnet are distributed across the firewalls by setting the firewall internal IP's as the various different GW addresses. i.e. Hosts A/B/C/D use FW1 as their GW, hosts E/F/G/H use FW2 as their gateway etc. Ok so my problem is this. We have a single monitoring host that needs to send outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to www.apple.com, FW3 etc. The idea is to check the Firewalls and their upstream connectivity not the end host per se. To achieve this I've tried the following: Create 4 VLAN interfaces all on the same VLAN as the shared subnet using alternate IP's but on different routing domains. i.e. Vlan no. 10 : hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 1 hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 2 hostname.vlan103 - inet 10.11.12.3 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 3 hostname.vlan104 - inet 10.11.12.4 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 4 I then add default gateways to each routing domain i.e. route -T 1 default 10.11.12.50 route -T 2 default 10.11.12.51 route -T 3 default 10.11.12.52 route -T 4 default 10.11.12.53 To achieve the monitor we then do the following and capture the output: ping -V 1 www.apple.com ping -V 2 www.apple.com ping -V 3 www.apple.com ping -V 4 www.apple.com If I create the 1st VLAN/rdomain everything works perfectly however as soon as I add the 2nd vlan interface traffic on both vlans stops. Destroying the 2nd vlan instance restores traffic. The host is running OpenBSD i386 Generic 4.7 (release). Sorry no DMESG as yet but I can get this and anything else if need be tomorrow. Is what I'm trying to do possible? Any help is much appreciated. Why not just get rid of all this VLAN system and just manually set the default route of the testing host to GW[1234] alternatively during testing ? It looks like a much simpler way of doing things. Regards, -- Stephane Sezer
Re: pf and !
On Thu, 10 Jun 2010 14:08:04 -0400 Peter Fraser p...@thinkage.ca wrote: Hi, I (and I realize I was wrong ) always considered that pass quick from { addr 1, addr2 } Could be written as pass quick from addr1 pass quick from addr2 This is true. put if ! are used this obvious should not be true pass quick from { !addr1, !addr2 } cannot be the same as ( at least I hope since I haven't built the system to test it) pass quick from !addr1 pass quick from !addr2 pass quick from { !addr1, !addr2 } is the same as pass quick from !addr1 pass quick from !addr2 but it is probably not what you are looking for. When a packet comes from addr1, the first rule will not match and the second rule will let the packet pass. And when a packet comes from addr2, the first rule will match and let also the packet go in without looking for the second rule. So any packet, either coming from addr1, addr2, or anything else will pass. So, pass quick from { !addr1, !addr2 } is more or less equivalent to pass quick This behavior is not true when using tables, because braces are expanded when the ruleset is parsed and tables are checked during execution (I don't know if I'm clear here :D). -- Stephane Sezer