Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

LDAPS account interception through Virtual Server - Is it possible

Go to solution
Xterminator89
Altocumulus
Altocumulus

‎28-May-2021 01:37

Dear devcentral,

 

I'm currently faced with an issue where an administrative user is being locked out because multiple attempts are failing.

These attempts and connections, are routed through an F5 virtual server, which has Automap enabled, so the requests appear to be coming from the F5 itself.

 

Is it possible, somehow, to intercept the username of this request and the client IP, in order to ascertain where the lockout attempts are coming from?

 

Thanks a lot in advance

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Nicolas_Martin-
Cirrus
Cirrus
In response to Xterminator89

‎28-May-2021 04:36

Ok, I got it.

I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

 

If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :

when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }

Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

Regards,

View solution in original post

8 REPLIES 8

Go to solution
Nicolas_Martin-
Cirrus
Cirrus

‎28-May-2021 03:08

Hi!

What kind of virtual serveur is it ? Just tcp/udp or full HTTP proxy?

I think you can try to drop sume irule in your VS to log stuff :

To log your SNAT session (so you can lookup by IP:Port and datetime from your ldaps to get the mapping to original IP :

when SERVER_CONNECTED { log clientside connection details to /var/log/ltm log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" log serverside connection details to /var/log/ltm log local0. "Serverside connection: [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]:[TCP::remote_port]" }

If your VS is full HTTP you could add other rules to log this only when your username is detected in the payload.

 

Regards,

 

0 Kudos

Go to solution
Xterminator89
Altocumulus
Altocumulus
In response to Nicolas_Martin-

‎28-May-2021 04:16

Bonjour Nicolas, thanks a lot for your reply and details.

The VS in question has a full "Standard" setup.

What I'm trying to achieve is, based on the provided username (e.g. "admin"), log via iRule the authentication attempts for this user along with the Client IP where these attempts are coming from. This, in order to act on the workstations which are causing the account lockout.

Thanks a lot

0 Kudos

Go to solution
Nicolas_Martin-
Cirrus
Cirrus

‎28-May-2021 04:19

Hi!

How is the login/password passed to the backend server ? Is it POST request ? If yes what is the name of the usernae field ?

Edit : could you also provide the form URL (replace sensitive data with dummy value if needed. It is just to get a template for the irule

 

0 Kudos

Go to solution
Xterminator89
Altocumulus
Altocumulus
In response to Nicolas_Martin-

‎28-May-2021 04:24

Hello Nicolas, I am quite sure that the info is passed through the payload. Since this is LDAPS, I fear that such traffic is encrypted.

0 Kudos

Go to solution
Nicolas_Martin-
Cirrus
Cirrus
In response to Xterminator89

‎28-May-2021 04:26

The LDAPS is connection is made by the backend server to you directory right ?

0 Kudos

Go to solution
Xterminator89
Altocumulus
Altocumulus
In response to Xterminator89

‎28-May-2021 04:28

The connection should be as follows:

Client <---> VS <---> Backend

I need to intercept the attempt before it gets to the backend (AD Server) in order to catch it

0 Kudos

Go to solution
Nicolas_Martin-
Cirrus
Cirrus
In response to Xterminator89

‎28-May-2021 04:36

Ok, I got it.

I was thinking your users where consuming a website via a virtual server and they get prompted to logon by the website then the website use the creds provided by user to Authent through LDAPS.

 

If your VS is your LDAPS servers then you cannot read the payload as it is encrypted. What you need to do is to log every SNAT with :

when SERVER_CONNECTED { log local0. "Clientside connection: [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}] is SNAT to : [IP::local_addr]:[TCP::local_port] to [IP::remote_addr]" }

Then retrieve from your LDAPS logs the IP AND Port used for login attempts and lookup this IP/Port in the ltm logs which will reveal the origin source IP

Regards,

Go to solution
Nicolas_Martin-
Cirrus
Cirrus

‎28-May-2021 04:24

If you only need to know when user X tries to login and get client IP :

when HTTP_REQUEST { if { ( [string tolower [HTTP::uri]] equals "/loginform.html" ) and ( [HTTP::method] equals "POST" ) } { HTTP::collect [HTTP::header Content-Length] } } when HTTP_REQUEST_DATA { set username "unknown" foreach x [split [string tolower [HTTP::payload]] "&"] { if { $x starts_with "username=" } { set username [lindex [split $x "="] 1] } } log local0. "User $username attempted login from [IP::client_addr]:[TCP::client_port]" }

 

Copyright © 2023 Khoros, LLC