For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

8 Replies

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Apr 16, 2014
    It might be simpler/better to fix this at the ssh server/OS level: maybe: https://www.google.com/search?q=ssh+dictionary+attack+prevention
  • AbuAhmad's avatar
    AbuAhmad
    Icon for Nimbostratus rankNimbostratus
    Apr 16, 2014
    Thanks Mohammed, But the F5 configuration we have is one arm configuration and F5 doesn't pass the client IP onto the server and only passes the F5 self-IP.
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 17, 2014

    If you want to block certain countries, China for example, you can do something like this:

    when CLIENT_ACCEPTED {
     Get the country client IP 
    switch [whereis [IP::client_addr] country] {
        "CN" {
            reject
        }
    }
}

    And you can add more countries to the switch as needed.

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Apr 17, 2014

    I agree with Mohammad fully, and think that Corys rule is a better choice if you are want to block the Chinese users.

    But if you still want to throttle users you can try this one (against my recommendation :).

    when CLIENT_ACCEPTED {

    How how long should the limit be
    set lifetime 60
    The maximum number of connections allowed
    set connectionlimit 3

    Add a table entry with a lifetime in seconds of the value of $connectionlimit.
    table add [IP::client_addr] 1 indefinite $lifetime

    if { [table incr [IP::client_addr]] > $connectionlimit } {

        If the user has surpassed the connection limit we drop the connection
        You can change this to reject if you want
        drop
    }
}

    Tt would not distinguish between failed attempts and successful ones, which means that with the example iRule above you would be able to open 3 successful connections in 60 minutes, anything above that would be dropped until the table timeout has been reached. You can excempt ie office IPs but if it's supposed to be accessible by anyone it's hard to keep track of it if the list is big.

    The rule would still allow a number of guesses at passwords per connection, depending on your OS.

    /Patrik

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 17, 2014

    While a sliding window would be preferred you can't use CMP with subtables.

     

    why not?

     

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Apr 17, 2014

    https://devcentral.f5.com/wiki/irules.table.ashx

     

    Check out the section "To use a subtable or not to use a subtable".

     

    All of the entries in a given subtable are on the same processor. So if you put all of your entries (or the vast majority of them) into the same subtable, then one CPU will take a disproportionate amount of memory and load. Which you probably don't want.

     

    Maybe I misunderstood it though?

     

    /Patrik