Disconnecting logged in users and hackers

paulboy

Chief Evangelist
I'm a Unix newbie. what commands can I issue to disconnect users who are logged on my computer?

Thanks!
 
Hi,

first try the command "who".
Output should display all logged in users in this way:

[localhost:~] straylight% who
straylight console Jul 11 08:22
foo ttyp4 Jul 11 08:34 (localhost)

etc...

then get the process-ids of the user to bedisconnected:

ps auxw |grep foo

look for his/her shell-process and kill it ;-)

That should do the trick.

cu:Stray
 
A simple way to find users running a shell (simple in that it's just one command) is to type
Code:
ps -aux | awk '/tcsh && ! awk/ { print $1, $2 }'
It will display a small table showing user names followed by the process IDs of the copies of tcsh they're running. Just type 'kill pid', where pid is the listed process number, and it should dump them.

If they keep reconnecting, and you don't want them to, type
Code:
sudo chpass -s /dev/null username
as root, which will change their shell to /dev/null. They will still be able to log in, but they won't be able to do a darned thing.
 
I tried the ps -aux | awk '/tcsh && ! awk/ { print $1, $2 }' command and the PID comes up. But when I type kill 365 it says no such process. This PID always changes too. Any easy ways?

 
Oops; that command should look like this:
Code:
ps -aux | awk '/tcsh/ && ! /awk/ { print $1, $2 }'
The bugged version was just printing the process id of the awk command itself, which isn't terribly useful. Awk is cool, but sometimes those little unexplainable problems make me want to pull my hair out (and that would take quite a while with me :D ).
 
Doesn't seem to work. I however did get the PID using Top command to get the ssh PID and typed kill PID. It killed the terminal on my win2000 machine I was using to log onto my mac. I typed who on my mac but said it was still logged in. Any ideas? I just want to boot him off. I wish I could type in disconnect user or something.
 
Originally posted by paulboy
Doesn't seem to work. I however did get the PID using Top command to get the ssh PID and typed kill PID. It killed the terminal on my win2000 machine I was using to log onto my mac. I typed who on my mac but said it was still logged in. Any ideas? I just want to boot him off. I wish I could type in disconnect user or something.

Heh, disconnect which instance of the user? Please, remember that every session attached to a controlling terminal is an instance of a user (e.g. if I have three terminals open, I am logged in three times). So, which one of me do you want to disconnect? All of me?

It is doable, by killing the process group, or revoking the controlling terminal; both approaches require knowledge of the pty.

BTW, who entries are not real-time; they depend on login or terminal to update the entries. Therefore, killing the terminal will result in utmp (i.e. who) entry not updated, with user apparently still logged in.
 
Back
Top