BigIP F5 ( LC , LTM) WAS CRASH

i think you had better open a support case and submit qkview.

Hi all

 

after my F5 crashed , i saw log and saw there are alot of user try ssh access my F5 , and i saw user root access in my F5 and after F5 shutting down half on behalf of root at time 3.50 (you would like see attached file picture)

 

pls help me , who is attacking to My F5 ?

 

thanks all

 

If you think you are under attack via SSH you could a) Restrict SSH access to specific IP addresses, b) change the external Self-IP(s) Port Lockdown setting to Allow None, c) change the root user password and d) disable SSH access for the root user

Hi Hung,

 

 

If you suspect that your BIG-IP was compromised, I would do as WLB suggested and prevent any access to HTTPS and SSH from untrusted networks. It's then critical to reinstall the OS on all partitions to ensure the units are no longer suspect. If you have a known good UCS backup from before the attack, you can restore the configuration from there. Else, you could save the current config and load select portions (bigip.conf/bigip_base.conf) after reinstalling the OS and hand checking the config is still valid.

 

 

Make sure that after you reinstall, you either upgrade to a current version or manually protect the units per:

 

 

SOL13600 - SSH vulnerability CVE-2012-1493

 

https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html

 

 

Aaron

Hi all

 

As the information i had post ( you would like to see these are file attached) , you would like to tell me , does the my F5 have attack ? and who has login to my F5 by root account and it do exec command HALT to make my F5 hang .

 

pls help me

 

thanks all !

 

Hi Hung,

 

 

Please open a support case on this issue. I expect you'll want to follow the steps I outlined above, but F5 Support can confirm based on your specific logs.

 

 

Aaron

Posted By hoolio on 10/06/2012 09:00 AM

 

Hi Hung,

 

 

Please open a support case on this issue. I expect you'll want to follow the steps I outlined above, but F5 Support can confirm based on your specific logs.

 

 

Aaron

 

 

Hi Aaron

 

I have irule for traffic outbound go to internet of users:

 

when LB_SELECTED {

 

switch [LB::server addr] {

 

"118.69.221.x" { snat 118.69.222.x }

 

"118.69.221.y" { snat 118.69.223.y }

 

"222.255.64.z" { snat 222.255.77.z }

 

default {

 

do something

 

}

 

}

 

}

 

the 118.69.221.x , 118.69.221.y , 222.255.64.z are member of defaul gateway pool.

 

the 118.69.222.x ,118.69.223.y,222.255.77.z are ip public avaible

 

this is irule apply under virtual server outbound 0.0.0.0/0.0.0.0

 

would you like to tell me with this irule then work fine ?

 

pls help me

 

thanks all