Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

BIG IP 13.X How to prevent an answer on port scanning

Egrebeld
Nimbostratus
Nimbostratus

‎20-Apr-2021 00:21

Hi,

 

Actually, I have one 2 VS. One listening on port 80 with an LTM policy to redirect the traffic on the second VS listening on port 443. I'm looking for a solution to prevent the F5 to answer on port 80 to tcp connexion coming from a scan tool.

 

Thanks

Labels:
0 Kudos
6 REPLIES 6

SanjayP
MVP
MVP

‎20-Apr-2021 01:36 - last edited on ‎04-Jun-2023 20:57 by Fog

You can attach iRule to HTTP VIP to reject the traffic coming from the scanning tool.

Using data-group

when CLIENT_ACCEPTED {
 if { [class match [IP::client_addr] equals scanner_ip] } {
     reject
       } else {
	 return  
	   }
    }

Using IP-address within the iRule

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals <scannerip> ] } {
     reject
       } else {
	 return  
	   }
    }
0 Kudos

Egrebeld
Nimbostratus
Nimbostratus
In response to SanjayP

‎22-Apr-2021 00:13

In this case, how the F5 knows that this a legitimate request and not a port scan ?

0 Kudos

SanjayP
MVP
MVP
In response to Egrebeld

‎22-Apr-2021 00:38

well, you need to explicitly add IP addresses of scanning tool in the data group "scannerip" or define in the iRule itself.

0 Kudos

joyride_us
Altostratus
Altostratus

‎20-Apr-2021 06:04

You can redirect the request from port 80 to port 443.

( HTTP::redirect ...)

0 Kudos

Egrebeld
Nimbostratus
Nimbostratus
In response to joyride_us

‎22-Apr-2021 00:12

This way do not prevent the F5 to answer on port scanning

 

0 Kudos

joyride_us
Altostratus
Altostratus

‎22-Apr-2021 00:56

Sorry. Wrong question.

0 Kudos
Copyright © 2023 Khoros, LLC