Forum Discussion

Xterminator89's avatar
Xterminator89
Icon for Altocumulus rankAltocumulus
May 28, 2021

LDAPS account interception through Virtual Server - Is it possible

Dear devcentral,   I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing. These attempts and connections, are routed through an...
BIG-IP
LTM
Security
  • Nicolas_Martin-'s avatar
    Nicolas_Martin-
    May 28, 2021

    Ok, I got it.

    I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

    If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with : 

    when SERVER_CONNECTED {
    log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]"
}

    Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

    Regards,

Nicolas_Martin-'s avatar
Nicolas_Martin-
Icon for Cirrus rankCirrus
May 28, 2021

If you only need to know when user X tries to login and get client IP : 

when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] equals "/loginform.html" ) and ( [HTTP::method] equals "POST" ) } {
        HTTP::collect [HTTP::header Content-Length]
    }
}
when HTTP_REQUEST_DATA {
    set username "unknown"
    foreach x [split [string tolower [HTTP::payload]] "&"] {
        if { $x starts_with "username=" } {
            set username [lindex [split $x "="] 1]
        }
    }
    log local0. "User $username attempted login from [IP::client_addr]:[TCP::client_port]"
}