For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
May 13, 2015

Vulnerability scanner not able to scan F5 LTM

Hi All,   We are trying to run vulnerability scan on F5 LTM using McAfee vulnerability scanner on port 22 of LTM management IP. But the team is saying there scanner is not able to login to LTM alt...
application delivery
deployment
LTM
security
Max_Q_factor's avatar
Max_Q_factor
Icon for Cirrocumulus rankCirrocumulus
May 13, 2015

Based on this McAfee KB Minimum permissions required to run Shell Module vulnerability checks in Vulnerability Manager I beleive you need to ensure that the account used by TACACS is not set to use the tmsh shell, but is set to use "advanced shell" or "bash".

 

SOL12029: Accessing the Traffic Management Shell

 

This may be difficult inc certain versions of F5 with a TACACS group user, distributed auth group users are not allowed to have "advanced shell". I would ensure that the TACACS user is a named account, with administrative rights and verify you can change the terminal access to "advanced shell" or "bash"

 

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
May 14, 2015
Hi AWS, Thanks for response. I am able to login to LTM shell using mvm scanner id but while running scan it is showing not able to login to device. below is the log I am seeing on log and secure file: ltm file log May 13 16:44:03 Internal info sshd[31179]: Bad protocol version identification '\200\200\001\003\001' from UNKNOWN May 13 16:44:03 Internal info sshd[31182]: Did not receive identification string from <> May 13 16:44:03 Internal info sshd[31183]: Bad protocol version identification 'GET / HTTP/1.0' from UNKNOWN May 13 16:44:03 Internal info sshd[31188]: Did not receive identification string from <> May 13 16:44:11 Internal info sshd[31197]: Did not receive identification string from <> May 13 16:44:20 Internal info sshd[31207]: Accepted keyboard-interactive/pam for from <> port 12033 ssh2 May 13 16:44:38 Internal info sshd[31231]: Accepted keyboard-interactive/pam for from <> port 12058 ssh2 May 13 16:47:55 Internal err sshd[31390]: error: PAM: Authentication failure for root from May 13 16:48:00 Internal info sshd[31437]: Bad protocol version identification '\200\200\001\003\001' from UNKNOWN May 13 16:48:00 Internal info sshd[31440]: Did not receive identification string from <> May 13 16:48:00 Internal info sshd[31441]: Bad protocol version identification 'GET / HTTP/1.0' from UNKNOWN May 13 16:48:00 Internal info sshd[31446]: Did not receive identification string from <> May 13 16:48:08 Internal info sshd[31393]: Connection closed by May 13 16:48:08 Internal info sshd[31474]: Did not receive identification string from <> May 13 16:48:17 Internal info sshd[31483]: Accepted keyboard-interactive/pam for from <> port 12114 ssh2 secure file log May 13 16:48:28 Internal info sshd(pam_audit)[31483]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:17 2015" end="Wed May 13 16:48:28 2015". May 13 16:48:36 Internal alert sshd[31538]: pam_unix(sshd:account): could not identify user (from getpwnam()) May 13 16:48:36 Internal info sshd(pam_audit)[31533]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015". May 13 16:48:36 Internal info sshd(pam_audit)[31533]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015". May 13 16:48:47 Internal info sshd(pam_audit)[31533]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015" end="Wed May 13 16:48:47 2015". May 13 16:48:47 Internal info sshd(pam_audit)[31533]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:48:36 2015" end="Wed May 13 16:48:47 2015". May 13 16:51:14 Internal alert sshd[31756]: pam_unix(sshd:account): could not identify user (from getpwnam()) May 13 16:51:15 Internal info sshd(pam_audit)[31752]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015". May 13 16:51:15 Internal info sshd(pam_audit)[31752]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015". May 13 16:51:26 Internal info sshd(pam_audit)[31752]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015" end="Wed May 13 16:51:26 2015". May 13 16:51:26 Internal info sshd(pam_audit)[31752]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:15 2015" end="Wed May 13 16:51:26 2015". May 13 16:51:33 Internal alert sshd[31779]: pam_unix(sshd:account): could not identify user (from getpwnam()) May 13 16:51:33 Internal info sshd(pam_audit)[31775]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015". May 13 16:51:33 Internal info sshd(pam_audit)[31775]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015". May 13 16:51:44 Internal info sshd(pam_audit)[31775]: user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015" end="Wed May 13 16:51:44 2015". May 13 16:51:44 Internal info sshd(pam_audit)[31775]: 01070417:6: AUDIT - user - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=<> attempts=1 start="Wed May 13 16:51:33 2015" end="Wed May 13 16:51:44 2015".