Forum Discussion
NimbostratusBigIP F5 ( LC , LTM) WAS CRASH
Hi all
I'm new F5 , at the moment, my F5 was crash after running 2 days . I can not access the F5 via interface management and led status is yellow flicker
I didn't know why .
Pls help me , find reason and how find it ?
thanks all
- nitass
Employee
i think you had better open a support case and submit qkview. 
hung_105573Hi all
after my F5 crashed , i saw log and saw there are alot of user try ssh access my F5 , and i saw user root access in my F5 and after F5 shutting down half on behalf of root at time 3.50 (you would like see attached file picture)
pls help me , who is attacking to My F5 ?
thanks all
- What_Lies_Bene1
Cirrostratus
If you think you are under attack via SSH you could a) Restrict SSH access to specific IP addresses, b) change the external Self-IP(s) Port Lockdown setting to Allow None, c) change the root user password and d) disable SSH access for the root user 
hoolioHi Hung,
If you suspect that your BIG-IP was compromised, I would do as WLB suggested and prevent any access to HTTPS and SSH from untrusted networks. It's then critical to reinstall the OS on all partitions to ensure the units are no longer suspect. If you have a known good UCS backup from before the attack, you can restore the configuration from there. Else, you could save the current config and load select portions (bigip.conf/bigip_base.conf) after reinstalling the OS and hand checking the config is still valid.
Make sure that after you reinstall, you either upgrade to a current version or manually protect the units per:
SOL13600 - SSH vulnerability CVE-2012-1493
https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html
Aaron- hung_105573
Hi all
As the information i had post ( you would like to see these are file attached) , you would like to tell me , does the my F5 have attack ? and who has login to my F5 by root account and it do exec command HALT to make my F5 hang .
pls help me
thanks all !
- hoolioHi Hung,
Please open a support case on this issue. I expect you'll want to follow the steps I outlined above, but F5 Support can confirm based on your specific logs.
Aaron - hung_105573Posted By hoolio on 10/06/2012 09:00 AM
Hi Hung,
Please open a support case on this issue. I expect you'll want to follow the steps I outlined above, but F5 Support can confirm based on your specific logs.
Aaron
Hi AaronI have irule for traffic outbound go to internet of users:
when LB_SELECTED {
switch [LB::server addr] {
"118.69.221.x" { snat 118.69.222.x }
"118.69.221.y" { snat 118.69.223.y }
"222.255.64.z" { snat 222.255.77.z }
default {
do something
}
}
}the 118.69.221.x , 118.69.221.y , 222.255.64.z are member of defaul gateway pool.
the 118.69.222.x ,118.69.223.y,222.255.77.z are ip public avaible
this is irule apply under virtual server outbound 0.0.0.0/0.0.0.0
would you like to tell me with this irule then work fine ?
pls help me
thanks all
