Forum Discussion

craddockchris's avatar
craddockchris
Icon for Altocumulus rankAltocumulus
Nov 05, 2024

Scrubbing F5 config for username configuration

Dear Community,

 

I have gotten a few requests recently to investigate the use of usernames "by the F5". One such request was for the repeated failed login attempts "by the F5" using a certain username "SYSTEM". The logs were showing the attempts coming from the F5 Self IP. However, when I scrubbed the F5 config for any configuration that uses the username "SYSTEM", it came up empty. 

I had another request for us to investigate the F5's use of a certain service account user, we will call it "svc_storage". They wanted to change the password of this service account and reached out to me because "they saw the F5 was using this account". However, when I scrubbed the entire running config for the use of "svc_storage" again, it turned up nothing.

 

I have been using the TMSH: "show running-config | grep" command to search for any configuration of these users. Is there a better way to do it?

I am also noticing that this command doesnt seem to return any iApp configurations either. Does this require a separate CLI command?

 

I hope my questions make sense. Thank you. 

  • Can you provide more information - is this a backend server and a monitor has a username/password, or an authentication server, or what?

     

    Regarding iApps, these are created in a separate folder, so you should use the recursive command eg `tmsh list ltm virtual recursive`. You can see other configuration in the /config/partitions directory and you can check the various /config/bigip* files