Forum Discussion
Amit585731
Nimbostratus
NimbostratusVulnerability scanner not able to scan F5 LTM
Hi All,
We are trying to run vulnerability scan on F5 LTM using McAfee vulnerability scanner on port 22 of LTM management IP. But the team is saying there scanner is not able to login to LTM although they are able to login using the same account when they ssh. The tacacs is already configured. Any suggestion? For to do vulnerability scan do we need to scan another port or how you guys are using in your environment?
3 Replies
Max_Q_factorCirrocumulus
Based on this McAfee KB Minimum permissions required to run Shell Module vulnerability checks in Vulnerability Manager I beleive you need to ensure that the account used by TACACS is not set to use the tmsh shell, but is set to use "advanced shell" or "bash".
SOL12029: Accessing the Traffic Management Shell
This may be difficult inc certain versions of F5 with a TACACS group user, distributed auth group users are not allowed to have "advanced shell". I would ensure that the TACACS user is a named account, with administrative rights and verify you can change the terminal access to "advanced shell" or "bash"
Amit585731Hi AWS, Thanks for response. I am able to login to LTM shell using mvm scanner id but while running scan it is showing not able to login to device. below is the log I am seeing on log and secure file: ltm file log May 13 16:44:03 Internal info sshd[31179]: Bad protocol version identification '\200\200\001\003\001' from UNKNOWN May 13 16:44:03 Internal info sshd[31182]: Did not receive identification string from <> May 13 16:44:03 Internal info sshd[31183]: Bad protocol version identification 'GET / HTTP/1.0' from UNKNOWN May 13 16:44:03 Internal info sshd[31188]: Did not receive identification string from <> May 13 16:44:11 Internal info sshd[31197]: Did not receive identification string from <> May 13 16:44:20 Internal info sshd[31207]: Accepted keyboard-interactive/pam for from <> port 12033 ssh2 May 13 16:44:38 Internal info sshd[31231]: Accepted keyboard-interactive/pam for from <> port 12058 ssh2 May 13 16:47:55 Internal err sshd[31390]: error: PAM: Authentication failure for root from May 13 16:48:00 Internal info sshd[31437]: Bad protocol version identification '\200\200\001\003\001' from UNKNOWN May 13 16:48:00 Internal info sshd[31440]: Did not receive identification string from <> May 13 16:48:00 Internal info sshd[31441]: Bad protocol version identification 'GET / HTTP/1.0' from UNKNOWN May 13 16:48:00 Internal info sshd[31446]: Did not receive identification string from <> May 13 16:48:08 Internal info sshd[31393]: Connection closed by May 13 16:48:08 Internal info sshd[31474]: Did not receive identification string from <> May 13 16:48:17 Internal info sshd[31483]: Accepted keyboard-interactive/pam for from <> port 12114 ssh2 secure file log May 13 16:48:28 Internal info sshd(pam_audit)[31483]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:17 2015" end="Wed May 13 16:48:28 2015". May 13 16:48:36 Internal alert sshd[31538]: pam_unix(sshd:account): could not identify user (from getpwnam()) May 13 16:48:36 Internal info sshd(pam_audit)[31533]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015". May 13 16:48:36 Internal info sshd(pam_audit)[31533]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015". May 13 16:48:47 Internal info sshd(pam_audit)[31533]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015" end="Wed May 13 16:48:47 2015". May 13 16:48:47 Internal info sshd(pam_audit)[31533]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015" end="Wed May 13 16:48:47 2015". May 13 16:51:14 Internal alert sshd[31756]: pam_unix(sshd:account): could not identify user (from getpwnam()) May 13 16:51:15 Internal info sshd(pam_audit)[31752]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015". May 13 16:51:15 Internal info sshd(pam_audit)[31752]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015". May 13 16:51:26 Internal info sshd(pam_audit)[31752]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015" end="Wed May 13 16:51:26 2015". May 13 16:51:26 Internal info sshd(pam_audit)[31752]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015" end="Wed May 13 16:51:26 2015". May 13 16:51:33 Internal alert sshd[31779]: pam_unix(sshd:account): could not identify user (from getpwnam()) May 13 16:51:33 Internal info sshd(pam_audit)[31775]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015". May 13 16:51:33 Internal info sshd(pam_audit)[31775]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015". May 13 16:51:44 Internal info sshd(pam_audit)[31775]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015" end="Wed May 13 16:51:44 2015". May 13 16:51:44 Internal info sshd(pam_audit)[31775]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015" end="Wed May 13 16:51:44 2015".- Max_Q_factorI can't tell from that log file what sheel the AUDIT user is assigned to. Can you verify what version of BIG-IP TMOS you are running as well as the shell assigned to the AUDIT user?
