anyone got a tip to get
a list (sortet by username) and the count of the current connections per user
the next step is how to kill a connection as adin for a specific user
inspired by the ltt youtube incident this might be handy to know.
br NP
1 Like
As far as I know, this hack was done by stealing cookies. So you will best improve your security with the adjustment of these configuration parameters to stricter values (values here are defaults from config.sample.php):
/**
* Lifetime of the remember login cookie. This should be larger than the
* session_lifetime. If it is set to 0 remember me is disabled.
*
* Defaults to ``60*60*24*15`` seconds (15 days)
*/
'remember_login_cookie_lifetime' => 60*60*24*15,
/**
* The lifetime of a session after inactivity.
*
* The maximum possible time is limited by the session.gc_maxlifetime php.ini setting
* which would overwrite this option if it is less than the value in the config.php
*
* Defaults to ``60*60*24`` seconds (24 hours)
*/
'session_lifetime' => 60 * 60 * 24,
/**
* `true` enabled a relaxed session timeout, where the session timeout would no longer be
* handled by Nextcloud but by either the PHP garbage collection or the expiration of
* potential other session backends like redis.
*
* This may lead to sessions being available for longer than what session_lifetime uses but
* comes with performance benefits as sessions are no longer a locking operation for concurrent
* requests.
*/
'session_relaxed_expiry' => false,
/**
* Enable or disable session keep-alive when a user is logged in to the Web UI.
* Enabling this sends a "heartbeat" to the server to keep it from timing out.
*
* Defaults to ``true``
*/
'session_keepalive' => true,
/**
* Enable or disable the automatic logout after session_lifetime, even if session
* keepalive is enabled. This will make sure that an inactive browser will be logged out
* even if requests to the server might extend the session lifetime.
*
* Defaults to ``false``
*/
'auto_logout' => false,
/**
* Enforce token authentication for clients, which blocks requests using the user
* password for enhanced security. Users need to generate tokens in personal settings
* which can be used as passwords on their clients.
*
* Defaults to ``false``
*/
'token_auth_enforced' => false,
/**
* The interval at which token activity should be updated.
* Increasing this value means that the last activty on the security page gets
* more outdated.
*
* Tokens are still checked every 5 minutes for validity
* max value: 300
*
* Defaults to ``300``
*/
'token_auth_activity_update' => 60,
But you and your users will have to login more often (with password and second factor), when cookie- and session lifetime is shortened and auto_logout is set to true etc.
yeah already in use,
but still no clue how to kick all users off the cloud / kill their sessions and force them to re auth again
therfore the list (a fun add to the list, would be the geo ip location from the user session … big smile)
yes is in use !
but a need is
a list (sortet by username) and the count of the current connections per user and the geo location (via IP)
br
What is your goal? Performance, security, compliance?
A)
A list of all useres with active connections and the origin based on geoIP of their location (as bonus info)
B)
Then a button to kill all sessions to force to user the reauth with his credentials (2fa)
Might be handy to choose which session (webIf, session on mobile devices via token, and )
NOT talking about auto logout
As admin
To force em all with one Klick to reauth
Not taking care of if an active call in talk or an active work in office gets lost
This question pops upas a follow up
Talking about the Linus media group YouTube incident and how to prevent it but most important if it happens (stolen session token as far as we know today) to kick em out not letting em in (without credentials and the 2nd Fa auth, if this got compromised we are in an whole other ball game)
BrNP
Are there to much connections? 2FA is fine and ok for 99.99% users for security reason. What is your goal? Not the mechanism to reach it. Or do you have tech problems? Explain.
Goal
As admin not as user
A)
See all users and how many connections per user are active differentiated by connection with credentials and 2fa and connection via token and for each connection reffered by geoIP the origion of their connection
B)
Get the possibility to kill all connections (from a single user or all) and force them to reauth with their credentials including their 2FA
That’s it.
sorry missed that part:
Not the mechanism to reach it.
prevent the scenario ltt (linus tech tips youtube channel) ) got into
(stolen session token)
and give admin a simple way o kick all users out of the system and to force em to login in with their credentials
and not via auto log out see the posts above.
improve the response time and minimize damage
br np
Maybe you can use time based logoff read this
@ChristophWurst
Is it possible that admin logoff all sessions of one user? Command line, not wipe of one device.
log off / not disable