Security offload for SFTP

Question

What's the latest status about offloading SFTP/SSH? Is this still not possible? I'm looking for an alternative solution to offload some security features for SFTP, because due to SNAT the server only sees the LBs IP-address and therefor can't use this for the blacklist. Disabling SNAT and having the LB as DFGW for the server is not an option. And as SFTP doesn't support and kind of XFF, I was wondering if I can use any nice iRule to check for not allowed usernames or the number of failed login attempts. We also have only LTM module available.
Thanks for any ideas or further information!
Regards Stefan 🙂

paulius · Answer

Stefan_KlotzI don't believe you can with just LTM. I have been poking around in the various option for TCP connections but I can't seem to find any values pertaining to SSH sessions before they form. You can log client IP for every SSH sessions but I don't see a way currently to match that to SSH session on the server side to have that correlation.

daniel_wolf · Answer

Hi Stefan_Klotz,
did you consider using AFM and SSH Proxy?AskF5 &gt;&gt; Secure SSH traffic with the SSH Proxy&nbsp;
KRDaniel

Forum Discussion

Security offload for SFTP

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

F5 Security Podcasts

Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio

Auditing Security Policy Updates

Minimizing Security Complexity: Managing Distributed WAF Policies

Get Started with WAAP Security Incidents

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS