Forum Discussion
Xterminator89
Altocumulus
AltocumulusLDAPS account interception through Virtual Server - Is it possible
Dear devcentral, I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing. These attempts and connections, are routed through an...
Ok, I got it.
I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.
If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :
when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP
Regards,
Xterminator89Altocumulus
AltocumulusHello Nicolas, I am quite sure that the info is passed through the payload. Since this is LDAPS, I fear that such traffic is encrypted.
Nicolas_Martin-
Cirrus
CirrusOk, I got it.
I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.
If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :
when SERVER_CONNECTED {
log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]"
}Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP
Regards,