Category: Firewall

Disconnect SSH session on a Cisco ASA


asa# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
2   192.168.35.6    2.0     IN   aes256-cbc sha1     SessionStarted   elton
                            OUT  aes256-cbc sha1     SessionStarted   elton
3   204.16.58.6     2.0     IN   aes256-cbc sha1     SessionStarted   admin
                            OUT  aes256-cbc sha1     SessionStarted   admin


Notice the SID 2 and 3. Session ID 3 belongs to the one logged in as admin. Let’s drop the hammer.


asa# ssh disconnect 3

Verify.


asa# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
2   192.168.35.6    2.0     IN   aes256-cbc sha1     SessionStarted   elton
                            OUT  aes256-cbc sha1     SessionStarted   elton

asa# show logging
Oct 03 2014 11:22:00: %ASA-5-111008: User 'enable_15' executed the 'ssh disconnect 3' command.
Oct 03 2014 11:22:00: %ASA-5-111010: User 'enable_15',running 'CLI' from IP 199.48.158.6, executed 'ssh disconnect 3'
Oct 03 2014 11:22:00: %ASA-5-611103: User logged out: Uname: admin

Yeah, fuck that guy. If that wasn’t anyone you know, time to change your passwords.