iRulesLX
6 TopicsBlock Log4j with use of IOCs
Problem this snippet solves: iRule that helps to mitigate the Log4j vulnerability with use of public available IOCs. Currently the following IOCs can be used: cert-agid.gov.it (Contains scan IP's): https://cert-agid.gov.it/download/log4shell-iocs.txt NLD Police: https://thanksforallthefish.nl/log4j_blocklist.txt These IOCs combined will result in about 25191 IP addresses being blocked. The plan is to add some more IOCs soon. Last update: 27 December 2021 How to use this snippet: This solution makes use of iRulesLX. So first of all you need to provision iRulesLX on your BIG-IP. Then proceed to add the LX Workspace, iRule and Extension. Create LX Workpace: log4j_ioc Add iRule: log4j_ioc_irule Add Extension: log4j_ioc_extension (index.js) Add LX Plugin: log4j_ioc_plugin (from Workspace log4j_ioc) Install the required NodeJS modules. Use SSH to login to your BIG-IP and install the https and lokijs modules. # cd /var/ilx/workspaces/Common/log4j_ioc/extensions/log4j_ioc_extension # nmp install https lokijs --save Tested this on version: 15.1730Views3likes0CommentsUse iRules LX to write to the file system
Problem this snippet solves: Whist you can log to /var/log/ltm from an iRule, the TCL implementation on TMOS has its file reading and writing capabilities disabled. However it is still possible to write to a non-logging file to the file system using iRules LX, albeit, to the iRules LX workspace. A second script would be required to move the file to where you require it. This demo writes a file test.txt containing a client IP address to the iRules LX workspace How to use this snippet: First you need an iRule that passes the client IP address into iRules LX (you'll want to put the LX call in a catch for a prod environment) when CLIENT_ACCEPTED { set rpcHandle [ILX::init "fs-pl" "fs-ex"] set result [ILX::call $rpcHandle "writeFile" "[IP::client_addr]"] log local0. "$result" } Then a simple iRules LX script that will write out a test file with the value of the IP you passed in. It will write out the file to the extension folder which will vary.. it will also change slightly each time it executes For example, my file was located here: /var/sdm/plugin_store/plugins/:Common:fs-pl_83750_4/extensions/fs-ex/test.txt The next time, it was located here: /var/sdm/plugin_store/plugins/:Common:fs-pl_83750_5/extensions/fs-ex/test.txt Code : var f5 = require('f5-nodejs'); var ilx = new f5.ILXServer(); var fs = require('fs'); function writeFile(req, res) { var ip = req.params()[0]; fs.writeFile('test.txt', ip, function(err) { if (err) { res.reply(err); } else { res.reply('file written successfully'); } }); } ilx.addMethod('writeFile', writeFile); ilx.listen(); Tested this on version: No Version Found605Views2likes0CommentsiRule LX (Node.js) development environment
Problem this snippet solves: Write iRulesLX (Node.js) on your own system and save them into some source control repo (git). How to use this snippet: Download VSCode (Visual Studio Code) and install Download Node.js v6.9.1 (used by TMOS 13.1.0 and above) Create a new folder for your project and run the following npm commands to setup the environment You will get a file names package.json will all your project details in it. Code : npm init npm install --save-dev typescript npm install --save-dev jest npm install --save-dev ts-jest npm install --save-dev nock npm install --save-dev debug npm install --save-dev @types/jest npm install --save-dev @types/node Tested this on version: 13.0510Views2likes0CommentsComplete MFA solution with GA stored in Active Directory
Problem this snippet solves: All modern business applications require Multi-Factor Authentication (MFA) to be used for remote access by employees. There are many vendors on market selling enterprise MFA solutions that may be utilised with F5 BIG-IP Access Policy Manager (APM). Those solutions are complex and allow customers to create flexible policies which allow them to decide when and whom will be authorised to access protected applications. But what about those customers which have no needs for using complex enterprise solutions or does not have adequate budget for such spendings? How to use this snippet: For those customers I would like to present my One-Time Password (OTP) application which requires BIG-IP LTM/APM/iRulesLX. Shared secret value is stored in Active Directory and QR code is generated in user's browser. All you need after implementing this application on your BIG-IP is. to ask your users to get any OTP-compatible mobile application, like Google Authenticator or Microsoft Authenticator Please see https://github.com/akhmarov/f5_otp/ for instructions UPDATE 1: New version now support APM 15.1+ Modern Customization UPDATE 2: Added trusted device support UPDATE 3: Added multi-tenancy support Tested this on version: 15.11.4KViews1like8Comments