The Proplem
I ran into this issue the other day. Tenable.sc (formerly Security Center) was reporting a hit on plugin 21745 for a Red Hat Enterprise Linux 8 (RHEL 8) system. I checked on the account used on the systems for scanning and it wasn't locked out or anything. When I tryied to SSH into the system with the credentals, it would just hang. The system logs showed "login successful". When I rebooted the system was able to login normally again, but the problem would come back eventually.
The Cause
When the Nessus scanner connects to a system, it's scanning, it makes several connections to the host. Each connection starts a TMUX session. The problem is the TMUX sessions where not being closed after the Nessus scanner disconnected from the system. It turned out that the account used for security scanning had around 2,000 TMUX sessions running.
The Fix
Add "set -g destroy-unattached on" to the /etc/tmux.conf file.
This will append this line "set -g destroy-unattached on" into the /etc/tmux.conf configuration file. This will auto close sessions not being actively used.
Anther Fix
Set system wide rules for TMUX on the effected systems so only the account used by the Nessus scanner will have use of the TMUX terminal multiplexer. /etc/profile.d/custom.sh[ "$USER" != "scanuser" ] then if [ "$PS1" ] then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) case "$name" in (sshd|login) exec tmux esac fi fi
Defs
TMUX is an open-source terminal multiplexer for Unix type systems. Multiple terminal sessions can be accessed simultaneously by splitting the terminal into different screens. Can also detach remote sessions and reattach later, simular to what the screen application can do.Tenable Plugin a plugin is a script deployed by the Nessus scanner to check for security vulnerabilities. In this case plugin 21745 is an info plugin, it displays info from other plugins. This plugin is triggered (displayed) whenever a login failure occurs.
Other useful links
Tmux Cheat Sheet & Quick Referencehttps://tmuxcheatsheet.com/
A beginner's guide to tmux
https://www.redhat.com/sysadmin/introduction-tmux-linux
No comments:
Post a Comment