cancel
Showing results for 
Search instead for 
Did you mean: 

LDAPS account interception through Virtual Server - Is it possible

Xterminator89
Altocumulus
Altocumulus

Dear devcentral,

 

I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing.

These attempts and connections, are routed through an F5 virtual server, which has Automap enabled, so the requests appear to be coming from the F5 itself.

 

Is it possible, somehow, to intercept the username of this request and the client IP, in order to ascertain where the lockout attempts are coming from?

 

Thanks a lot in advance

1 ACCEPTED SOLUTION

Ok, I got it.

I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

 

If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :

when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }

Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

Regards,

View solution in original post

8 REPLIES 8

Hi!

What kind of virtual serveur is it ? Just tcp/udp or full HTTP proxy?

I think you can try to drop sume irule in your VS to log stuff :

To log your SNAT session (so you can lookup by IP:Port and datetime from your ldaps to get the mapping to original IP :

when SERVER_CONNECTED { log clientside connection details to /var/log/ltm log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" log serverside connection details to /var/log/ltm log local0. "Serverside connection: [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]:[TCP::remote_port]" }

If your VS is full HTTP you could add other rules to log this only when your username is detected in the payload.

 

Regards,

 

Bonjour Nicolas, thanks a lot for your reply and details.

The VS in question has a full "Standard" setup.

What I'm trying to achieve is, based on the provided username (e.g. "admin"), log via iRule the authentication attempts for this user along with the Client IP where these attempts are coming from. This, in order to act on the workstations which are causing the account lockout.

Thanks a lot

Hi!

How is the login/password passed to the backend server ? Is it POST request ? If yes what is the name of the usernae field ?

Edit : could you also provide the form URL (replace sensitive data with dummy value if needed. It is just to get a template for the irule

 

Hello Nicolas, I am quite sure that the info is passed through the payload. Since this is LDAPS, I fear that such traffic is encrypted.

The LDAPS is connection is made by the backend server to you directory right ?

The connection should be as follows:

Client <---> VS <---> Backend

I need to intercept the attempt before it gets to the backend (AD Server) in order to catch it

Ok, I got it.

I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

 

If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :

when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }

Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

Regards,

If you only need to know when user X tries to login and get client IP :

when HTTP_REQUEST { if { ( [string tolower [HTTP::uri]] equals "/loginform.html" ) and ( [HTTP::method] equals "POST" ) } { HTTP::collect [HTTP::header Content-Length] } } when HTTP_REQUEST_DATA { set username "unknown" foreach x [split [string tolower [HTTP::payload]] "&"] { if { $x starts_with "username=" } { set username [lindex [split $x "="] 1] } } log local0. "User $username attempted login from [IP::client_addr]:[TCP::client_port]" }