Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Security offload for SFTP

Stefan_Klotz
Cumulonimbus
Cumulonimbus

What's the latest status about offloading SFTP/SSH? Is this still not possible? I'm looking for an alternative solution to offload some security features for SFTP, because due to SNAT the server only sees the LBs IP-address and therefor can't use this for the blacklist. Disabling SNAT and having the LB as DFGW for the server is not an option. And as SFTP doesn't support and kind of XFF, I was wondering if I can use any nice iRule to check for not allowed usernames or the number of failed login attempts. We also have only LTM module available.

Thanks for any ideas or further information!

Regards Stefan 🙂

2 REPLIES 2

Paulius
MVP
MVP

@Stefan_KlotzI don't believe you can with just LTM. I have been poking around in the various option for TCP connections but I can't seem to find any values pertaining to SSH sessions before they form. You can log client IP for every SSH sessions but I don't see a way currently to match that to SSH session on the server side to have that correlation.

Daniel_Wolf
Nacreous
Nacreous

Hi @Stefan_Klotz,

did you consider using AFM and SSH Proxy?
AskF5 >> Secure SSH traffic with the SSH Proxy 

KR
Daniel