ssh
25 TopicsUsing the WAF instead of a jump server for ssh-tunneling?
Hello everyone, This is how it works at the moment: We go from server A, in the internal network, with a public IP via ssh to a jump server in the DMZ. From the jump server we then go on to server B in the secure zone. I am relatively new to this and have been given the task of seeing if the WAF can replace the jump server. We use Advanced Web Application Firewall, r2600 with BIG-IP 17.1.1.3 Is this possible and what do we need for it? Thank you in advance for your help ! Best regards.43Views0likes1CommentConnecting to F5 using SSH via Ansible
I am in the process of writing a playbook which uses SSH to connect to F5 and run a bash command (ntpdate -d time_server) to confirm NTP connectivity across the environment. For SSH I am using root. Here is the task that I have in the playbook. - name: "Check NTP on {{override_host}}" vars: ansible_connection: ssh ansible_user: "root" ansible_password: "{{root_pwd}}" ansible_ssh_private_key_file: "~/.ssh/f5-ansible-ssh" command: cmd: ntpdate -d {{item}} loop: "{{new_ntp_servers}}" register: ntp_status The error message that I get is as follows MSG: The module failed to execute correctly, you probably need to set the interpreter. See stdout/stderr for the exact error MODULE_STDOUT: /bin/sh: /usr/local/bin/python3.9: No such file or directory MODULE_STDERR: ******************************* IMPORTANT NOTE ****************************** Banner ***************************************************************************** Shared connection to ltm closed. Any help would be greatly appreciated...1.2KViews0likes3CommentsSetting up Forwarding IP VS on LTM to route SSH traffic
I am trying to route SSH traffic through a LTM onto a subnet. This is a prototype setup and so is slightly restrictive in that I have only one public IP address for external traffic to come into the LTM (which is a LAB license setup), behind this I have a "outer" n/w where I have a jump server and a web server and an "inner" n/w where I have app servers. I have setup HTTP virtual servers and have an iRule to route http traffic to the appropriate web server virtual IP address and onto an app server if needed. So in this setup I am attempting to route SSH requests via the single external IP address into the outer n/w layer. I have tried a network based forwarding IP VS to on available. Example VS definition... ltm virtual SSH-Forwarding-VS { description "Virtual Server for routing SSH traffic" destination 0.0.0.0:ssh ip-forward ip-protocol tcp mask any profiles { lab-forwarding-fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vs-index 11 } Yet all that I succeed in achieving is opening a SSH session with the actual LTM itself :-( I used this as a reference: http://packetpushers.net/stateless-routing-f5-ltm/ This prototype environment has been created in the AWS cloud, so the VPC, subnets and security groups have been setup to allow the traffic through. Any suggestions appreciated, thanks!942Views0likes5CommentsSetting up Forwarding IP VS on LTM to route SSH traffic
I am trying to route SSH traffic through a LTM onto a subnet. This is a prototype setup and so is slightly restrictive in that I have only one public IP address for external traffic to come into the LTM (which is a LAB license setup), behind this I have a "outer" n/w where I have a jump server and a web server and an "inner" n/w where I have app servers. I have setup HTTP virtual servers and have an iRule to route http traffic to the appropriate web server virtual IP address and onto an app server if needed. So in this setup I am attempting to route SSH requests via the single external IP address into the outer n/w layer. I have tried a network based forwarding IP VS to on available. Example VS definition... ltm virtual SSH-Forwarding-VS { description "Virtual Server for routing SSH traffic" destination 0.0.0.0:ssh ip-forward ip-protocol tcp mask any profiles { lab-forwarding-fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vs-index 11 } Yet all that I succeed in achieving is opening a SSH session with the actual LTM itself :-( I used this as a reference: http://packetpushers.net/stateless-routing-f5-ltm/ This prototype environment has been created in the AWS cloud, so the VPC, subnets and security groups have been setup to allow the traffic through. Any suggestions appreciated, thanks!648Views0likes5Commentsgtm_add fails on SSH conneciton
BIG-IP running 11.5.1 HF8 When creating a GTM failover pair the process falls down when I run the gtm_add on the secondary unit. ssh: connect to host 10.10.22.2 port 22: Connection refused ERROR: Can't read remote cert via /usr/bin/ssh. The Big-IPs have three interfaces; Management, HA and External I want to setup the GTM pairing between the External interfaces as this is also the interface that will be used for the connection between the datacentres. I can ping the IP address. I can SSH to the other two interfaces. SSH is allowed and all IP addressing is allowed. But when I try to SSH from one to the other on the External interface the connection is refused. sys sshd { allow { ALL } banner disabled banner-text none description none inactivity-timeout 0 include none log-level info login enabled } The only hardware between the two devices is the a switch stack.585Views0likes4CommentsHow to pass client IP onto access logs for TCP (port:22) connections?
We have bitbucket installed and we would want to capture client ip address for every ssh git operation. We were able to capture client IP for http git operation. We have apache httpd configured and we added the following configuration to make it work (under "IfModule log_config_module" section). RemoteIPHeader x-client-ip RemoteIPInternalProxy LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %% %T %D" combined LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %% %T %D SSL: %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined-ssl By this, we're able to capture client IP for all git operations of http. But, we're not able to get the client IP for SSH Git operations. Currently, it is capturing LTM IP in the access logs.395Views0likes2CommentsSSH-proxy and keyboard interactive authentication not working
I am trying to test the SSH proxy funtionality of AFM, but I am not succeeding at all. I am aiming for keyboard interactive authentication (username/password), but all I get is "Authentication failed." For my test-setup I have followed this to the letter: https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.print.html Section: Defining SSH proxy password or keyboard interactive authentication My setup goes: 10.128.1.1 --> 10.128.10.100 (VS with SSH-proxy profile) --> 10.128.10.128 (backend server) Directly SSH 10.128.1.1 ---> 10.128.10.128 work just fine If I goes through the virtuel Bigip on 10.128.10.100 I get: debug1: Host '10.128.10.100' is known and matches the RSA host key. debug1: Found key in /Users/testuser/.ssh/known_hosts:4 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: Next authentication method: publickey debug1: Trying private key: /Users/testuser/.ssh/id_rsa debug1: Trying private key: /Users/testuser/.ssh/id_dsa debug1: Trying private key: /Users/testuser/.ssh/id_ecdsa debug1: Trying private key: /Users/testuser/.ssh/id_ed25519 debug1: Next authentication method: keyboard-interactive Authentication failed. I have taken to public key from the backend server /etc/ssh/ssh_host_rsa_key.pub and placed a copy in "Real Server Auth Public Key" field. I have taken a private key generated on the virtual Bigip, using ssh-keygen, and placed a copy in "Proxy Server Auth Private key" field. I made sure that HostKey /etc/ssh/ssh_host_rsa_key is not commented out on the backend server. According to the article linked to above, it should now work, but it does not. Can anyone help me?989Views0likes1CommentGolang SSH script for F5?
I am testing a small program written in go to SSH into an F5 do some work but still getting a failure to connect . Has anyone else ran into a similar issue? Code is below: package main import ( "bytes" "fmt" "golang.org/x/crypto/ssh" "log" ) func main() { devices := make([]string, 0) devices = append(devices, "xxxxxx:22") // An SSH client is represented with a ClientConn. // // To authenticate with the remote server you must pass at least one // implementation of AuthMethod via the Auth field in ClientConfig. config := &ssh.ClientConfig{ User: "xxxxxxx", Auth: []ssh.AuthMethod{ ssh.Password("xxxxxxxx"), }, HostKeyCallback: ssh.InsecureIgnoreHostKey(), } for _, d := range devices { client, err := ssh.Dial("tcp", d, config) if err != nil { log.Fatal("Failed to dial: ", err) } // Each ClientConn can support multiple interactive sessions, // represented by a Session. session, err := client.NewSession() if err != nil { log.Fatal("Failed to create session: ", err) } // Once a Session is created, you can execute a single command on // the remote side using the Run method. var b bytes.Buffer session.Stdout = &b if err := session.Run("ls -l"); err != nil { log.Fatal("Failed to run: " + err.Error()) } fmt.Println(b.String()) err = session.Close() if err != nil { fmt.Printf("Failed to close session for %v\n", d) } } }769Views0likes1CommentAPM App Tunnel solution for SSH access by multi users
Hi, We're trying to seek a way to setup APM App Tunnel for SSH access by multi users(windows or linux) using authentication keys. We've already checked it works with a single user(windows user) and authentication key. As the plan for production setup, we need to set the same APM App tunnel for SSH access but the SSH will be accessed from multi users using their login IDs and authentication keys. I guess Parameters on App Tunnel setup would be the part where can make it work possibly but not sure. Can anyone have any idea to make this work?565Views0likes1CommentSSH access through App Tunnel
Hi, I am trying to access SSH to target server using App Tunnel. The SSH server authenticate using authentication public key, not normal password based authentication. I already generated authentication keys and registered on the SSH server and import key on putty. Putty error is showsing as below snapshot when tesed, which I guess regarding Authentication key issue. In this environment, how can I set up App Tunnel, especially Launch Application section?882Views0likes6Comments