For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OhioBuckeye_687's avatar
OhioBuckeye_687
Icon for Nimbostratus rankNimbostratus
Apr 25, 2008

SFTP Monitoring

Can an SFTP port be monitored with the full handshake? Right now it looks like our F5 is just completing a port check (similar to a telnet to the port) that is causing an error within the SFTP server logs. Can I configure the F5 load balancer to actually accept the SFTP host server key and complete a login and then disconnect?

 

 

Thanks

 

 

OB
management
monitoring

7 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 28, 2008
    Hi,

     

     

    If a TCP port check is causing an error, You could create a script which calls sftp on the BIG-IP to connect to the pool members and verify they answer correctly. Once you have a script which can run on the BIG-IP, you can reference that in an external monitor. You can check the Monitoring codeshare section for examples of external monitors.

     

     

    Aaron
  • TMcGov_92811's avatar
    TMcGov_92811
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2010
    Hi - Did you ever find an external monitor in the codeshare section to perform an actual sftp login ?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 09, 2010
    If you don't get an answer on this, you could use the Net::sftp perl library (assuming it's available on LTM) to do this via a script:

     

     

    http://search.cpan.org/~drolsky/Net-SFTP-0.08/lib/Net/SFTP.pm

     

     

    The DHCP monitor in the Codeshare from Kirk Bauer is Perl based, so it should be fairly simple to adapt for SFTP.

     

     

    http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/DHCPMonitor.html

     

     

    Aaron
  • hwidjaja_37598's avatar
    hwidjaja_37598
    Icon for Altostratus rankAltostratus
    Mar 09, 2010
    You can also consider using public/private key authentication and run sftp command in a monitor.

     

     

    As what Aaron has mentioned, you would need additional module (eg. Net:SFTP for perl, etc) to pass the password to sftp. I personally wouldn't recommend this one because when you upgrade the box you'll need to remember to install the module as well.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mar 12, 2010
    Use an external monitor and perform a

     

     

    CHECKDATE=`ssh -n @ date`

     

     

    with a public/private keypair... The -n parameter is in there in case something happens to the public key the server gives back... You need to do this by hand BTW before the automated check will work.

     

     

    Then just check that the $CHECKDATE environment variable is sane... If it is, then sshd is up & running on the target server...

     

     

    Changing the command to use NODE_IP and NODE_PORT (And any logging etc you'd like on it) is left as an exercise for the reader. You don't have to do this as a shell script BTW... It could be perl or whatever.

     

     

     

    H
  • simon_103767's avatar
    simon_103767
    Icon for Nimbostratus rankNimbostratus
    Jun 16, 2010
    Hello,

     

     

    could you please post your entire script ?

     

     

    many Thanks

     

     

    David

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 16, 2010
    Hi David,

     

     

    You could use Hamish's suggestion for the SCP command and put it in this monitor template:

     

     

    http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/TemplateForExternalLtmMonitors.html

     

     

    Aaron