Forum Discussion

Xterminator89's avatar
Xterminator89
Icon for Altocumulus rankAltocumulus
May 28, 2021

LDAPS account interception through Virtual Server - Is it possible

Dear devcentral,

 

I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing.

These attempts and connections, are routed through an F5 virtual server, which has Automap enabled, so the requests appear to be coming from the F5 itself.

 

Is it possible, somehow, to intercept the username of this request and the client IP, in order to ascertain where the lockout attempts are coming from?

 

Thanks a lot in advance

  • Ok, I got it.

    I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

    If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :

    when SERVER_CONNECTED {
        log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]"
    }

    Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

    Regards,

  • If you only need to know when user X tries to login and get client IP :

    when HTTP_REQUEST {
        if { ( [string tolower [HTTP::uri]] equals "/loginform.html" ) and ( [HTTP::method] equals "POST" ) } {
            HTTP::collect [HTTP::header Content-Length]
        }
    }
    when HTTP_REQUEST_DATA {
        set username "unknown"
        foreach x [split [string tolower [HTTP::payload]] "&"] {
            if { $x starts_with "username=" } {
                set username [lindex [split $x "="] 1]
            }
        }
        log local0. "User $username attempted login from [IP::client_addr]:[TCP::client_port]"
    }
  • Hi!

    What kind of virtual serveur is it ? Just tcp/udp or full HTTP proxy?

    I think you can try to drop sume irule in your VS to log stuff :

    To log your SNAT session (so you can lookup by IP:Port and datetime from your ldaps to get the mapping to original IP :

    when SERVER_CONNECTED {
         log clientside connection details to /var/log/ltm
        log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
         log serverside connection details to /var/log/ltm
        log local0. "Serverside connection: [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]:[TCP::remote_port]"
    }

    If your VS is full HTTP you could add other rules to log this only when your username is detected in the payload.

    Regards,

    • Xterminator89's avatar
      Xterminator89
      Icon for Altocumulus rankAltocumulus

      Bonjour Nicolas, thanks a lot for your reply and details.

      The VS in question has a full "Standard" setup.

      What I'm trying to achieve is, based on the provided username (e.g. "admin"), log via iRule the authentication attempts for this user along with the Client IP where these attempts are coming from. This, in order to act on the workstations which are causing the account lockout.

      Thanks a lot

  • Hi!

    How is the login/password passed to the backend server ? Is it POST request ? If yes what is the name of the usernae field ?

    Edit : could you also provide the form URL (replace sensitive data with dummy value if needed. It is just to get a template for the irule

     

    • Xterminator89's avatar
      Xterminator89
      Icon for Altocumulus rankAltocumulus

      Hello Nicolas, I am quite sure that the info is passed through the payload. Since this is LDAPS, I fear that such traffic is encrypted.

      • Nicolas_Martin-'s avatar
        Nicolas_Martin-
        Icon for Cirrus rankCirrus

        Ok, I got it.

        I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

        If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :

        when SERVER_CONNECTED {
            log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]"
        }

        Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

        Regards,