Re: Auto Logout Idle Users

2010-10-15 Thread Stephane Sezer 
On Fri, 15 Oct 2010 16:28:51 +0200
Benny LC6fgren bl-li...@lofgren.biz wrote:

 On 2010-10-15 00.59, Brad Tilley wrote:
  On 10/14/2010 06:45 PM, Ben Niccum wrote:
  I thought about doing that too. I need to test it more to see what
  happens when ksh is the shell and the user executes csh manually.
  I suppose ksh will still honor TMOUT in that case.
  Brad
  Don't mean to complicate things for you, but just thought I should
  mention that if the user does:
  # exec /bin/csh
  Then csh takes over ksh's active process, and even though the TMOUT
  variable is still there, csh doesn't honor it, and ksh is no longer
  around to object.
  -Ben
  Great point. That's precisely the sort of thing I'd like to have
  thought about. Much of the compliance efforts may look good on
  paper, but have no impact on actual usage or may be trivially
  circumvented as you point out. So while disabling a shell may get a
  check mark during PCI compliance efforts, that may be all you end
  up with.

 You mentioned not wanting to use anything not in base.

 How about a simple shell script, using nothing but standard
 utilities, to regularly monitor logged-in users and kick idle ones
 out?

 I whipped something together as an example, se below. (Very slightly
 tested, use at your own risk :-) ) As an added bonus you can't as a
 regular user circumvent its watchful eye by exec:ing a different
 shell or simply by changing the idle timeout value in the current
 login shell.


 Regards,
 /Benny

 88888 (cut)
 #!/bin/ksh

 #
 #   idlehup  --  hang up idle tty connections
 #   ---
 #
 #   Written on a whim in 2010-10-15 by Benny Lofgren
 #
 #   benny -at- internetlabbet.se / +46 70 718 11 90
 #
 # Use at your own risk :-)
 #
 #   Run with nohup (or remove infinite loop at the end
 # and run with cron)
 #

 PROG=$0

 if [ $# -ne 1 ]
 then
  echo ${PROG}: usage: ${PROG} max_idle_time_in_minutes
  exit 1
 else
  IDLETIME=`expr $1 + 0` 2/dev/null

  if [ $? != 0 ]
  then
  echo ${PROG}: ERROR: idle time argument must be numeric
  exit 2
  fi

  if [ ${IDLETIME} -gt 1440 ]
  then
  echo ${PROG}: ERROR: idle time must be = 1440 minutes (24
 h) exit 3
  fi
 fi

 getidle()
 {
  idletime=$1

  who -u |
  while read user tty mon day time idle rest
  do
  # Check each logged-in user for excessive idle times
  isidle=false
  case ${idle} in
  .);;  # Active tty, do nothing
  old)isidle=true;;   # Very old, kick them out
??:??)H=`echo $idle | cut -d: -f1`
  M=`echo $idle | cut -d: -f2`
  M=`expr $H \* 60 + $M`
  if [ $M -gt $idletime ]
  then
  isidle=true
  fi
  ;;
  esac

  # Find and eliminate session leader and the rest will follow
  if [ ${isidle} = true ]
  then
  ps -t`echo $tty | sed s/^tty//` -opid,stat |
  while read pid stat
  do
  case $stat in
  *s*) echo $pid;; # He's the leader, stone him!
  esac
  done
  fi
  done
 }

 while true
 do
  PIDS=`getidle ${IDLETIME}`
  if [ X${PIDS} != X ]
  then
  kill -HUP ${PIDS}
  fi

  sleep 60
 done
 88888 (cut)



As already said in this thread, there is no way to handle everything.
For example, this script does not work when a user connects with ssh
without allocating a pseudo-tty.
Still, it does not seem to be a problem for the PCI DSS ...

--
Stephane Sezer

Re: Multiple VLANs in the same subnet on different Routing Domains

2010-07-22 Thread Stephane Sezer 
On Thu, 22 Jul 2010 17:15:00 +0100
sslay...@iom.com wrote:

 I've had no luck Googling this issue so thought I'd ask the experts.
 
 Ok we have 4 firewalls providing internet connectivity whose internal
 interfaces are on a single shared subnet, although the IPs are
 different. Outbound traffic from the various hosts on this subnet are
 distributed across the firewalls by setting the firewall internal
 IP's as the various different GW addresses. i.e. Hosts A/B/C/D use
 FW1 as their GW, hosts E/F/G/H use FW2 as their gateway etc.
 
 Ok so my problem is this. We have a single monitoring host that needs
 to send outbound traffic (ICMP) via the 4 different Firewalls to the
 _SAME_ remote address. e.g. Send ICMP to www.apple.com via FW1 then
 send ICMP via FW2 to www.apple.com, FW3 etc.
 
 The idea is to check the Firewalls and their upstream connectivity
 not the end host per se.
 
 To achieve this I've tried the following:
 
 Create 4 VLAN interfaces all on the same VLAN as the shared subnet
 using alternate IP's but on different routing domains.
 
 i.e. Vlan no. 10 :
 
 hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev
 bge0 rdomain 1
 hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev
 bge0 rdomain 2
 hostname.vlan103 - inet 10.11.12.3 255.255.255.0 NONE vlan 10 vlandev
 bge0 rdomain 3
 hostname.vlan104 - inet 10.11.12.4 255.255.255.0 NONE vlan 10 vlandev
 bge0 rdomain 4
 
 I then add default gateways to each routing domain i.e.
 
 route -T 1 default 10.11.12.50
 route -T 2 default 10.11.12.51
 route -T 3 default 10.11.12.52
 route -T 4 default 10.11.12.53
 
 To achieve the monitor we then do the following and capture the
 output:
 
 ping -V 1 www.apple.com
 ping -V 2 www.apple.com
 ping -V 3 www.apple.com
 ping -V 4 www.apple.com
 
 If I create the 1st VLAN/rdomain everything works perfectly however
 as soon as I add the 2nd vlan interface traffic on both vlans stops.
 Destroying the 2nd vlan instance restores traffic.
 
 The host is running OpenBSD i386 Generic 4.7 (release). Sorry no
 DMESG as yet but I can get this and anything else if need be tomorrow.
 
 Is what I'm trying to do possible? Any help is much appreciated.

Why not just get rid of all this VLAN system and just manually set the
default route of the testing host to GW[1234] alternatively during
testing ?
It looks like a much simpler way of doing things.

Regards,

-- 
Stephane Sezer

Re: pf and !

2010-06-10 Thread Stephane Sezer 
On Thu, 10 Jun 2010 14:08:04 -0400
Peter Fraser p...@thinkage.ca wrote:

Hi,

 I (and I realize I was wrong ) always considered that
 
 pass quick  from { addr 1, addr2 }
 
 Could be written as
 
 pass quick from addr1
 pass quick from addr2

This is true.

 put if ! are used this obvious should not be true
 
 pass quick from { !addr1,  !addr2 }
 
 cannot be the same as ( at least I hope since I haven't built the
 system to test it)
 
 pass quick from !addr1
 pass quick from !addr2

pass quick from { !addr1, !addr2 }

is the same as

pass quick from !addr1
pass quick from !addr2

but it is probably not what you are looking for.

When a packet comes from addr1, the first rule will not match and the
second rule will let the packet pass.
And when a packet comes from addr2, the first rule will match and let
also the packet go in without looking for the second rule.
So any packet, either coming from addr1, addr2, or anything else will
pass.

So,
pass quick from { !addr1, !addr2 }
is more or less equivalent to
pass quick

This behavior is not true when using tables, because braces are
expanded when the ruleset is parsed and tables are checked during
execution (I don't know if I'm clear here :D).

-- 
Stephane Sezer