Forum Discussion

Xterminator89's avatar
Xterminator89
Icon for Altocumulus rankAltocumulus
May 28, 2021
Solved

LDAPS account interception through Virtual Server - Is it possible

Dear devcentral,   I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing. These attempts and connections, are routed through an...
BIG-IP
LTM
security
  • Nicolas_Martin-'s avatar
    Nicolas_Martin-
    May 28, 2021

    Ok, I got it.

    I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

    If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with : 

    when SERVER_CONNECTED {
    log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]"
}

    Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

    Regards,

Nicolas_Martin-'s avatar
Nicolas_Martin-
Icon for Cirrus rankCirrus

Hi!

What kind of virtual serveur is it ? Just tcp/udp or full HTTP proxy?

I think you can try to drop sume irule in your VS to log stuff :

To log your SNAT session (so you can lookup by IP:Port and datetime from your ldaps to get the mapping to original IP : 

when SERVER_CONNECTED {
     log clientside connection details to /var/log/ltm
    log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
     log serverside connection details to /var/log/ltm
    log local0. "Serverside connection: [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]:[TCP::remote_port]"
}

If your VS is full HTTP you could add other rules to log this only when your username is detected in the payload.

Regards,

Xterminator89's avatar
Xterminator89
Icon for Altocumulus rankAltocumulus
May 28, 2021

Bonjour Nicolas, thanks a lot for your reply and details.

The VS in question has a full "Standard" setup.

What I'm trying to achieve is, based on the provided username (e.g. "admin"), log via iRule the authentication attempts for this user along with the Client IP where these attempts are coming from. This, in order to act on the workstations which are causing the account lockout.

Thanks a lot