Tuesday, April 8, 2014

Event script - auto log off on-hold telnet sessions

My customer sees that when a user opens a telnet to Juniper Router but the user doesn't type a username or password, the open telnet stays on-hold for hours.

When the telnet connection-limit is reached (my customer limits the connection-limit to 10), a new telnet session can't be opened and the login prompt doesn't appear.

Look at the following:

Attempt 1:

user@linux:/export/home/admin> telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
router-RE0 (ttyp0)
login:
login:
telnet> z
Suspended



Attempt 10:
user@linux:/export/home/admin> telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
router-RE0 (ttyp1)
login:
login:
telnet> z
Suspended



Attempt 11:

user@linux:/export/home/admin> telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.



Is there a way to reduce the time for this on-hold sessions so my customer can authenticate?, under the login class, we have an idle-timeout but this timeout only applies for authenticated sessions.
--

I believe you could use an event script that cleans up the ttys by looking first at system processes

[edit]
user@router# run show system processes | match login
 5461  p0  Is+    0:00.00 login [pam] (login)
 7614  p1  Ss+    0:00.00 login               <<<<<<<<<<<< HERE
 7299  p2  Is     0:00.01 login [pam] (login)

Compares that with system users


user@router# run show system users  
 3:36PM  up 23:04, 2 users, load averages: 0.01, 0.04, 0.00
USER     TTY      FROM                              LOGIN@  IDLE WHAT
user     p0       172.24.67.238                    10:22AM     - -cli (cli)  
user     p2       172.24.67.238                    3:17PM      3 vi logout.slax


then logout the tty (p1) that doesn't have a user

[edit]
user@router# run request system logout terminal p1


user@router# run show system processes | match login  
 5461  p0  Is+    0:00.00 login [pam] (login)
 7299  p2  Is     0:00.01 login [pam] (login)

--------------------
Here's a working script that will boot off only those logins with no matching user

user@router# run show system processes | match login
 9256  p0  Is     0:00.01 login [pam] (login)
 9201  p1  Is+    0:00.01 login [pam] (login)
12474  p2  Is+    0:00.00 login               <<<<<< here
12689  p4  Ss+    0:00.00 login               <<<<<< here

[edit]
user@router# run show system users
 3:27PM  up 1 day, 22:55, 2 users, load averages: 0.02, 0.10, 0.07
USER     TTY      FROM                              LOGIN@  IDLE WHAT
user     p0       172.24.67.238                    10:30AM     4 vi logout.slax
user     p1       172.24.67.238                    10:30AM     - -cli (cli)  

[edit]
user@router# run op logout
tty p2 no matching user logging them off
tty p4 no matching user logging them off

[edit]
user@router# run show system users  
 3:28PM  up 1 day, 22:55, 2 users, load averages: 0.26, 0.15, 0.09
USER     TTY      FROM                              LOGIN@  IDLE WHAT
user     p0       172.24.67.238                    10:30AM     4 vi logout.slax
user     p1       172.24.67.238                    10:30AM     - -cli (cli)  

[edit]
user@router# run show system processes | match login  
 9256  p0  Is     0:00.01 login [pam] (login)
 9201  p1  Is+    0:00.01 login [pam] (login)


I ran this as an op script. You can test this as well. Put the file in the /var/db/scripts/op directory

Then configure the router to point to it.

user@router# show system
scripts {
    op {
        file logout.slax;

    }
}

If this works out, then you can put this in the event-options configuration.


Save the below script as logout.slax
-----------------------------------------------------

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match / {
    <op-script-results> {
        <output method = "text"> {

         var $showpid = <command> "show system process" ;
         var $result = jcs:invoke($showpid);
         /* break up all the lines */
         var $line = jcs:break-lines($result);
            for-each ($line) {
                 var $test = current();
                 /* find all processes with name login */
                 if (contains($test, "login")) {
                              /* var $proc = substring-before ($test, "Is"); */
                              var $tty = jcs:regex ("p[0-9]", $test);
                              var $users = <command> "show system users";
                              var $user = jcs:invoke ($users);
                              if ( not (contains ($user, $tty)) ) {
                                expr "tty " _ $tty _ " no matching user logging them off  \n";
                                var $rpc = <command> "request system logout terminal " _ $tty;
                                var $response = jcs:invoke($rpc);  
                                   
                              }
                 }
             }

        }
    }
}


-------------------------------------



user@router# show event-options
policy TIME-OUT {
    events SYSTEM;
    attributes-match {
        SYSTEM.message matches ".*Number of telnet connections at max limit.*";
    }
    then {
        event-script logout.slax;
    }
}

[edit]
user@router# show system
services {
    telnet {
        connection-limit 10;
    }
}


Jul 22 17:20:39  router inetd[1053]: Number of telnet connections at max limit (10) Jul 22 17:20:39  router login: LOGIN_INFORMATION: User user logged in from host 172.24.67.238 on device ttyp0 Jul 22 17:20:39  router root: invoke-commands: Executed /tmp/evt_cmd_kQxqou, output to /tmp/evt_op_WP7zmx in text format Jul 22 17:20:39  router root: transfer-file: Transferred /tmp/evt_op_WP7zmx Jul 22 17:20:42  router xntpd[1079]: bind() fd 9, family 2, port 123, addr 128.0.0.1, in_classd=0 flags=0 fails: Can't assign requested address

No comments:

Post a Comment