Tourniquet iRule to detect, BLOCK, log, and count CVE-2016-9244 "Ticketbleed" attacks
Problem this snippet solves: This iApp installs the Tourniquet iRule ir-tourniquet which will detect, block, log, and count attempts to exploit CVE-2016-9244 "Ticketbleed". Attach the Tourniquet iRule to any TCP+TLS or UDP+DTLS virtual server with a Client SSL Profile. (The iRule works on BIG-IP TMOS v11.0 and above.) The Tourniquet iRule logs the source IP address and geolocation of each possible attack and counts attacks (per-virtual-server) using iStats. The Tourniquet iRule is for anyone (such as a honeypot operator) who wants to log the sources of Ticketbleed attacks and for BIG-IP users who want to utilize RFC-5077 TLS Session Tickets while still running vulnerable (older) versions of BIG-IP TMOS (by blocking Ticketbleed attacks, the Tourniquet iRule makes it safe to enable Session Tickets). NOTE: The best way to avoid the CVE-2016-9244 Ticketbleed vulnerability is to upgrade BIG-IP TMOS to a non-vulnerable version. See F5 Solution Note K05121675. The second-best way (imposing a modest performance cost) is to disable Session Tickets in your Client SSL Profile(s). The performance cost of the Tourniquet iRule is very small unless an attacker tries to flood your BIG-IP with Ticketbleed attacks. In that case, the Tourniquet iRule will at least help you track the attacker down. The Tourniquet iRule blocks Ticketbleed attacks on vulnerable versions of BIG-IP TMOS. It also has an option to log Ticketbleed attacks then allow them to proceed, if you really want to do that. How to use this snippet: Download the Tourniquet-iRule-v1.zip file (below). Extract (unzip) the Tourniquet-iRule-v1.tmpl file. In the BIG-IP Management GUI, navigate to iApps / Templates. Click Import, browse to select the template file, then click Upload. Navigate to iApps / Application Services. Click Create, then enter a unique name (for example, t ) and select the template Tourniquet_iRule . Click Finished. The Tourniquet iRule ir-tourniquet will be created (in an Application folder, for example as /Common/t.app/ir-tourniquet ). You may then navigate to Local Traffic / Virtual Servers, edit your virtual servers that have Client SSL Profiles, and add the Tourniquet iRule to each virtual server in the iRules section of the Resources tab. (If you really want to allow Ticketbleed attacks for some reason (making your BIG-IP insecure!), you can change the relevant setting in the iApp then click Finished to update the iRule.) Code : 73863
11.4 iapp namespace
Hi, I'm developing some iApp templates based on the f5.http. I need to be able to let the user decide if a specific pool member is enabled or disabled when the iApp is deployed. I already added in the presentation section a choice field to enable or disable the member: table members { editchoice addr display "large" tcl { package require iapp 1.0.0 return [iapp::get_items ltm node] } string port display "small" required default "80" validator "PortNumber" string connection_limit display "small" required default "0" validator "NonNegativeNumber" optional ( lb_method == "ratio-member" || lb_method == "ratio-node" || lb_method == "ratio-session" || lb_method == "ratio-least-connections-member" || lb_method == "ratio-least-connections-node" || lb_method == "dynamic-ratio-member" || lb_method == "dynamic-ratio-node" ) { string ratio default "1" validator "NonNegativeNumber" display "small" } optional ( options.advanced == "yes" && use_pga == "yes" ) { string priority default "0" required validator "NonNegativeNumber" display "small" } optional ( options.advanced == "yes" ) { choice state display "xlarge" default "enabled" } } The pool is configured with this statement in the template: array set pool_arr { 1,0 { [iapp::conf create ltm pool ${app}_pool \ [iapp::substa pool_ramp_pga_arr($advanced,$do_slow_ramp,$do_pga)] \ [iapp::substa pool_lb_queue_arr($advanced)] \ [iapp::substa monitor_arr($new_pool,$new_monitor,$advanced)] \ [iapp::pool_members $::pool__members]] \ [iapp::conf modify ltm pool ${app}_pool \ ] } 0,0 { [expr { $::net__server_mode ne "tunnel" ? \ $::pool__pool_to_use : $::pool__pool_to_use_wom }] } * { none translate-address disabled } } As the pool members are configured with the "iapp::pool_members" routine, it would be best if this configures the state of the member too. I haven't found the source of this routine so i don't know if it is capable of doing this. Is there any documentation on the iapp:: namespace and it's source code? If the routine is not capable of setting the state - any ideas on how to configure the member state besides iterating over the $::pool__members variable? Greetings, Eric
F5 automated backup script not removing ucs archives/executing post copy clean up commands.
I've installed the https://devcentral.f5.com/codeshare/complete-f5-automated-backup-solution components and when utilizing the scp option have noticed that, although the archives do get copied to remote storage, the /var/local/ucs archives are not being cleaned up. I've seen posts which recommend changing from exec rm -f BACKUPDIRECTORY/$fnameBACKUPFILESCRIPTEXTENSION to exec rm -f BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION which did not help. To me it appears that once the call to execute the bash script, which handles the scp, is performed it never properly returns back to the calling script. I'm basing this on the fact that neither /var/local/usc archives or the /var bash script are ever cleaned up. The commands to remove them immediately follows the call to the bash script. I've modified the command that builds the scp.sh bash, appending the clean up commands to the end of it, so that the clean up happens w/in the bash script before it returns back to the calling script. Before: exec echo -e "put()\n{\n\tfields=\"username server directory\"\n\ti=1\n\tf5masterkey=\$(f5mku -K)\n\tfor current_field in \$fields ; do\n\t\tsedcommand=\"\${i}p\"\n\t\tcurrent_encrypted_value=\$(sed -n \"\$sedcommand\" $configfile)\n\t\tcurrent_decrypted_value=\$(echo \"\$current_encrypted_value\" | openssl aes-256-ecb -salt -a -d -k \$f5masterkey)\n\t\teval \"\$current_field=\$current_decrypted_value\"\n\t\tlet i=\$i+1\n\t\tunset current_encrypted_value current_decrypted_value sedcommand\n\tdone\n\tsed -n '4,\$p' $configfile | openssl aes-256-ecb -salt -a -d -k \$f5masterkey > /var/tmp/scp.key\n\tchmod 600 /var/tmp/scp.key\n\tscp -i /var/tmp/scp.key BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION \${username}@\${server}:\${directory}\n\trm -f /var/tmp/scp.key\n\treturn \$?\n}\n\nput" > $scriptfile After: exec echo -e "put()\n{\n\tfields=\"username server directory\"\n\ti=1\n\tf5masterkey=\$(f5mku -K)\n\tfor current_field in \$fields ; do\n\t\tsedcommand=\"\${i}p\"\n\t\tcurrent_encrypted_value=\$(sed -n \"\$sedcommand\" $configfile)\n\t\tcurrent_decrypted_value=\$(echo \"\$current_encrypted_value\" | openssl aes-256-ecb -salt -a -d -k \$f5masterkey)\n\t\teval \"\$current_field=\$current_decrypted_value\"\n\t\tlet i=\$i+1\n\t\tunset current_encrypted_value current_decrypted_value sedcommand\n\tdone\n\tsed -n '4,\$p' $configfile | openssl aes-256-ecb -salt -a -d -k \$f5masterkey > /var/tmp/scp.key\n\tchmod 600 /var/tmp/scp.key\n\tscp -i /var/tmp/scp.key BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION \${username}@\${server}:\${directory}\n\tcp /var/tmp/scp.key /var/tmp/scp.key.bak\n\trm -f /var/tmp/scp.key\n\trm -f BACKUPDIRECTORY/${fname}BACKUPFILESCRIPTEXTENSION\n\trm -f $scriptfile\n\treturn \$?\n}\n\nput" > $scriptfile This seems to work but I was wondering if anyone else has encountered this issue and has a better solution?
Exchange 2016 iApp Template v1.0.2 and the current RC
I'm trying to use the Exchange 2016 iApp when I try to create the Application Service it throws the following error: Error parsing template:can't eval proc: "script::run" script does not exist while executing "tmsh::run_proc avr" (procedure "script::run" line 1) invoked from within "script::run" line:1 ! I'm a newb with BIG-IP, but all the other templates in the iapps 1.0.0.492.0 download work fine.
F5 iApp Exchange 2016 AD - Authentication Fail - UPN suffix mismatch
Hi Everybody We are in the process of deploying Exchange 2016 / Outlook 2016 with F5 v11.6.0 (build 4.0.420) and APM. Our reference is the Exchange 2016 deployment guide (https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2016-dg.pdf). We are using the latest iApp . Without APM it seems to be working fine, but as soon as we enable APM we are having athentication problems with Outlook Anywhere. When we start Outlook 2016, it tries to authenticate using UPN firstname.lastname@company.com. The internal domain used however is company.local instead of company.com. So we are running into the problem described here (https://support.f5.com/csp/article/K12252), where UPN suffix does not equal domain suffix. I get the same error "... Please verify Active Directory and DNS configuration...." when doing a manual adauth test via CLI. We cannot seem to get the workaround descibed to work (replace APM AD Auth with LDAP). Does anybody have a reference or can tell me if it is even possible to configure the APM (i.e. modify the iApp) to use LDAP instead of AD Auth with SSO in this scenario? Any advice would be greatly appreciated. Thanks in advance. IngoiApp missing smartcard authentication section in the deployment guide for Horizon View
We have a pair of 6900s in an HA configuration with fully licensed APM and LTM. I want to use the f5.vmware_view.v1.5.0rc1 iApp for Horizon view. It loads fine but omits the whole section on smartcard authentication in the APM section of the accompanying deployment guide. This is a critical feature that we need for this implementation. The rest of the APM questions appear as they do in the guide. How can I get the iApp to show this section?