For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fmartos_30060's avatar
fmartos_30060
Icon for Nimbostratus rankNimbostratus
Mar 09, 2010

Adming login page customization

Hi,

 

 

Anyone knows how to delete Firepass information:

 

 

Consola de administración de FirePass 4300

 

Versión - FirePass 6.1.0

 

Fri, 9 Oct 2009 20:22 PST

 

URM-6.10-20091009

 

 

from admin login page?
BIG-IP Access Policy Manager (APM)
remote access
security

5 Replies

  • fmartos_30060's avatar
    fmartos_30060
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2010
    No... not at all, of course.

     

     

    What I'm trying to do is not showing information about Firepass version in the admin login page... I think it's easy to understand, but is not documented anywhere... so, I'm just asking if anyone knows how to "delete" that information from the login page...

     

     

    In the included image is the red marked area
  • Don_Ryles_52501's avatar
    Don_Ryles_52501
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2010
    I can't see any way to remove that information from the standard admin access. I guess that you don't want a person who is not authenticated to see what the device is and the version of code being run.

     

     

    What you could perhaps do is to setup another IP address and define an new web service in Device Management | Configuration | Network Configuration | Web Services and tick "SSL only" and "admin logon" to that web service. Doing that would present the standard logon screen or you could define your own logon screen as a "Virtual host based customisation" used when connecting to that new IP address. Then configure the real management interface on a private management network where that access is more tightly controlled. Could that work?

     

     

    Regards,

     

    Kevin
  • fmartos_30060's avatar
    fmartos_30060
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2010
    Thanks for you answer. You're correct... I don't want any internet user to get that information about the controller.

     

     

    I've being playing with your method, but I found a "problem". I added the second IP, with Admin, and SSL options. I just uploaded a test index.htm using Webdav to the controller, and if I try https://thenewip then the new index.htm is showed, but if I try https://thenewip/admin then, again, full admin login page is showed...

     

     

    If I disable admin access and enable user access, https://thenewip automatically redirects to https://thenewip/admin ... :?

     

     

    Any new idea?
  • Don_Ryles_52501's avatar
    Don_Ryles_52501
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2010
    Yes, you're right if I use http://myurl/admin then it does go to the standard admin login screen. Hmm...!

     

     

    The URL that I use here is enabled for both user and admin access and so if I want to login for user functions then when I use my standard user credentials. If I use the inbuilt adminsitrator credentials at that same login screen then it takes me to the admin console view.

     

     

    As you say it does still expose the FirePass infrmation if somebody is creative enough to put the /admin on the end of the URL.

     

     

    How about not allowing any admin access from an externally accessible IP address and rely on having a separate IPSec VPN access to get to the management screen through the private management IP address?

     

     

    Regards,

     

    Kevin