SFTP file existence monitor
Problem this snippet solves: SFTP file existence monitor How to use this snippet: This monitor definition allows for a monitor to connect to a SFTP server and check for the existence of a file using username/password. Written for a specific implementation where they wouldn't use key pairs, plus it turns out that curl on F5's was compiled with sftp support disabled, so I had to use expect instead. It's based off of the default sample_monitor. Create a monitor definition with 3 variables: $monitor_sftp_USER = Username of SFTP server $monitor_sftp_PASS = Password for $monitor_sftp_USER $monitor_sftp_STRING` = String/Filename to search for I have also written a modified version whereby you can encrypt the password manually using the unit master-key and add that as the password variable, which I can post if wanted. Code : #!/bin/sh # # (c) Copyright 1996-2006, 2010-2013 F5 Networks, Inc. # # This software is confidential and may contain trade secrets that are the # property of F5 Networks, Inc. No part of the software may be disclosed # to other parties without the express written consent of F5 Networks, Inc. # It is against the law to copy the software. No part of the software may # be reproduced, transmitted, or distributed in any form or by any means, # electronic or mechanical, including photocopying, recording, or information # storage and retrieval systems, for any purpose without the express written # permission of F5 Networks, Inc. Our services are only available for legal # users of the program, for instance in the event that we extend our services # by offering the updating of files via the Internet. # # @(#) $Id: //depot/maint/bigip12.1.1/tm_daemon/monitors/sample_monitor#1 $ # # # these arguments supplied automatically for all external pingers: # $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname) # $2 = port (decimal, host byte order) # # The following must all be set as variables in the monitor definition # $monitor_sftp_USER = Username of SFTP server # $monitor_sftp_PASS = Password for $monitor_sftp_USER # $monitor_sftp_STRING` = String/Filename to search for # # $MONITOR_NAME = name of the monitor # # In this sample script, $3 is the regular expression # # Name of the pidfile pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" # Send signal to the process group to kill our former self and any children # as external monitors are run with SIGHUP blocked if [ -f $pidfile ] then kill -9 -`cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile # Remove the IPv6/IPv4 compatibility prefix node_ip=`echo $1 | sed 's/::ffff://'` # Using expect and sftp to get directory listing from the server. # Search the data received for the expected string. expect -c " spawn sftp -oStrictHostKeyChecking=no -oPort=$2 $monitor_sftp_USER@$node_ip; expect \"password:\"; send $monitor_sftp_PASS\r; expect \"sftp>\"; send \"ls -l\r\"; expect \"sftp>\"; send \"exit\r\" " | grep $monitor_sftp_STRING > /dev/null status=$? if [ $status -eq 0 ] then # Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" fi # Remove the pidfile before the script ends rm -f $pidfile Tested this on version: 12.1
SFTP External Monitor fails but manual script execution succeeds
Hi, I've been working on setting up an SFTP monitor for some time now. I'm getting really close but there's one thing left that I'm having a hard time understanding and is just not working as expected. Here is the base script: !/bin/bash IP=`echo ${1} | sed 's/::ffff://'` PORT=${2} sftp -o Port=${PORT} -b /home/ext_monitor/cyclone/sftpmonitor.input sftpMonitor@${IP} | grep 'IB' 2>$1 > /dev/null mark node UP if expected response was received if [ $? -eq 0 ] then echo "UP" fi When I upload this script to the F5 and execute it manually (using IP and Port arguments in-line) it works just fine. What I'm trying to do is attach this to the pool level; there are 4 pool members and my understanding is the first two variables ($1 (ipv6 address) and $2 (port)) are auto-populated by the F5 when it tries connecting in the external monitor, but the monitor was failing. Next, I modified the script a bit so that instead of using IP and PORT variables, I just hard-coded one of the pool member information and attached the monitor at the pool member level, but that also failed. Any assistance I could get would be very appreciated... I feel like I'm very close and just missing a couple key things here. Here's the current monitor configuration: ltm monitor external external-sftp-cyclone { defaults-from external destination *:* interval 5 run /Common/external-cyclone-sftp-2022 time-until-up 0 timeout 16 } Also, in case it is relevant: I do also have a tcp monitor attached alongside it as I cannot risk the pool member going down at this time while I test this.
Issue with SFTP Connection - Forward Proxy
Hi All, I am facing issue with SFTP forward proxy virtual server. I have this VS with below details: Source: 10.244.0.0/16 Destination: 0.0.0.0/0 Dst Port: 8822 irule --> which redirects the connection to port 22 there are many other SFTP applications running smoothely except one on which Vendor 3Econ.com applied security patch named Serv-U post that our application team is facing issue. I had taken packet captures however there is nothing suspicious about F5. Is any anyone faced such issue after update of Serv-U patch on SSH servers. Below is the links shared by vendor regarding the patch. Below is a link to the “Release Notes” for ServU 15.3.1 and 15.3.2 Please review https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3-2_release_notes.htm https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3-1_release_notes.htm Supported Key Exchange, SSH Ciphers and SSH MACs for ServU Key Exchange (KEX), SSH ciphers and SSH MACs supported in Serv-U (solarwinds.com) If anyone can help me what I can check, will be really helpful also if needed I can share wireshark captures. TIA, Ashish SolankiSecurity offload for SFTP
What's the latest status about offloading SFTP/SSH? Is this still not possible? I'm looking for an alternative solution to offload some security features for SFTP, because due to SNAT the server only sees the LBs IP-address and therefor can't use this for the blacklist. Disabling SNAT and having the LB as DFGW for the server is not an option. And as SFTP doesn't support and kind of XFF, I was wondering if I can use any nice iRule to check for not allowed usernames or the number of failed login attempts. We also have only LTM module available. Thanks for any ideas or further information! Regards Stefan 🙂
iRule to restrict SFTP by name
I'm needing a treatment by iRule so I accept SFTP connections just by name. For example, a request for "sftp.domain.com" should refer to the pool named pool_sftp_port22. I have seen that more people with special needs have not yet been found in a solution. The version of my BigIP LTM is 11.6.0.
SFTP decryption?
I've seen old answers about SFTP decryption not being possible, but I want to check if that is still the case. I'm on 11.5.3, but would also like to know if something newer would make it possible. I would re-encrypt it to the pool member, but want to log some text from the session via an iRule.SFTP decryption?
I've seen old answers about SFTP decryption not being possible, but I want to check if that is still the case. I'm on 11.5.3, but would also like to know if something newer would make it possible. I would re-encrypt it to the pool member, but want to log some text from the session via an iRule.Log source IP address
Hi We have a FTP and SFTP Server farm load-balanced by GTM and LTM appliances. since it is FTP (port 21) and SFTP (port 22), the clients/source that tries to connect to the Wide IP (gslb site) pass through the GTM and LTM (based on the load-balancing methods) ends up in any of the server nodes as designed. However, since the LTM VIP is the one that connects to the Server nodes (within the pool), these End Server Nodes see the LTM VIP IP as the source IP and has no trace of the actual connecting source IP Addresses. we did some research and it looks like the source IP can be traced/logged through the http headers for http traffic and not possible for FTP or SFTP Traffic. Can someone please suggest any option where, 1. Either the Destination Servers can retrieve and log the Source IP Addresses 2. Or atleast if the LTM can log the Source IP address with Time stamps. thank you in advance! -- NirmalSFTP Scripting
Using the BIG-IP client I'd like to script a batch file to copy several files to an SFTP server. I have seen some posts in the forum but none of them mention on where to supply a password in the statement. I have seen the below but I don't see how I can supply a password. scp /path/to/localfile user@host:/path/to/dest Any help is greatly appreciated.
