Forum Discussion

Altocumulus

May 28, 2021

LDAPS account interception through Virtual Server - Is it possible

Dear devcentral, I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing. These attempts and connections, are routed through an...

BIG-IP

LTM

Security

Nicolas_Martin-
May 28, 2021
Ok, I got it.
I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.
If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :
when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }
Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP
Regards,

Nicolas_Martin-

Cirrus

Hi!

What kind of virtual serveur is it ? Just tcp/udp or full HTTP proxy?

I think you can try to drop sume irule in your VS to log stuff :

To log your SNAT session (so you can lookup by IP:Port and datetime from your ldaps to get the mapping to original IP :

when SERVER_CONNECTED {
     log clientside connection details to /var/log/ltm
    log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
     log serverside connection details to /var/log/ltm
    log local0. "Serverside connection: [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]:[TCP::remote_port]"
}

If your VS is full HTTP you could add other rules to log this only when your username is detected in the payload.

Regards,

Xterminator89

Altocumulus

May 28, 2021

Bonjour Nicolas, thanks a lot for your reply and details.

The VS in question has a full "Standard" setup.

What I'm trying to achieve is, based on the provided username (e.g. "admin"), log via iRule the authentication attempts for this user along with the Client IP where these attempts are coming from. This, in order to act on the workstations which are causing the account lockout.

Thanks a lot

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

LDAPS account interception through Virtual Server - Is it possible

Recent Discussions

Gy the ft hi go to ki CE ki CE ki hi if co ltd Tel no hi hi co

SF GS see the attached document for your email and

De do please let me know when the ft ye so I

Spiritual Salt Review - Does it Work or a Scam?

Tupi Tea Reviews 2024: Real or Scam? Must Read

Related Content

Create a DevCentral account

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Change admin account

DNS Interception: Protecting the Client

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS