Forum Discussion
AltocumulusSecurity issue - Oracle Identity System Administration login screen is exposed to public
Hi to all,
I have a cluster with 2 Big-IP VM ver13.1 .A VS has the role to load balanced OAM.I discovered that the Oracle Identity System Administration login screen is exposed to public.I found the solution with the below iRule.I want to allow only two networks (internal and VPN)
My question is if I must create two iRules for that.
set static::drop_notallowed 0
}
when CLIENT_ACCEPTED {
if {not [IP::addr [IP::client_addr] equals 10.0.0.0/8]} {
log local0. "[IP::client_addr] does not match 10.0.0.0/8 AND access URI = /restricted-URI/"
set static::drop_notallowed 1
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/restricted-URI" }{
if {$static::drop_notallowed==1}{
drop
}
}
}
iaineNacreous
Hi
You should be able to put all of the logic into the HTTP_REQUEST event, something like...
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/restricted-uri" }{ if {not [IP::addr [IP::client_addr] equals 10.0.0.0/8]} { drop } } }- Cpet
Hi iaine,
Thanks for your prompt reply.
So you suggest to use http_request iRule and i will agree.
I must create 2 iRules regarding to allow 2 networks?
- iaine
Hi
No, just combine the networks with a logical OR.
If the number of networks starts to get too unwieldy or you want to edit the networks regularly then you could use a Data Group to do a lookup
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/restricted-uri" }{ if { not ( [IP::addr [IP::client_addr] equals 192.168.0.0/16]) || ( [IP::addr [IP::client_addr] equals 10.0.0.0/8])} { drop } } } - Cpet
Thank you VM.
- Cpet
Hi ,
Unfortunately does not work. Still have access from external networks.
Any ideas???
- iaine
What IP address have the external clients got when they hit the VIP - are you natting them to an internal IP...?
- Cpet
Hi iaine,
I think the irule does not work due syntax error.
My portal (URL) is https://blabla.com//sysadmin/faces/signin
So i wrote the following.Please advise if the bold type (URI) fields are correct.
when CLIENT_ACCEPTED {
if {not [IP::addr [IP::client_addr] equals 10.0.40.0/24]} {
log local0. "[IP::client_addr] does not match 10.0.40.0/24 AND access URI = /sysadmin/faces/signin"
set static::drop_notallowed 1
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "https://blabla.com/sysadmin/faces/signin" }{
if {$static::drop_notallowed==1}{
drop
}
}
}
- iaine
Hi
You don't need the CLIENT_ACCEPTED event to look for the IP and the HTTP::URI command in the HTTP_REQUEST should start from / rather than include http:// etc.
So your code would look something like
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/sysadmin/faces/signin"}{ if {not [IP::addr [IP::client_addr] equals 10.0.40.0/24]} { drop } } } - Cpet
Still not working.
Where\How can i see the logs regarding this rule???
I need to find out why .
JGCumulonimbus
/var/log/ltm .
- iaine
here's a couple of log lines to hopefully help. logs will go to /var/log/ltm or the Local Traffic tab in the Logs section of the GUI
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/sysadmin/faces/signin"}{ log local0. "URI is [HTTP::uri] - IP Address is [IP::client_addr]" if {not [IP::addr [IP::client_addr] equals 10.0.40.0/24]} { log local0. "Dropping the connection from [IP::client_addr]" drop } } } - Cpet
Thanks VM
I will try it ASAP
Reverting ...