Hey guys, Interesting idea I was presented with the other day. As an organization, we have pushed hard for MFA. We try to use it for new external apps, sites, etc. However, I just came up against a new one. A customer has a requirement to SSH to a server from the Internet, no problem I can proxy that. But how can we MFA that? Yes, DUO has a plugin that can handle it BUT someone will have access to that server directly. I want to try and control access with APM and my initial thought was some type of network access webtop. Only 'issue' is, you guessed it, port 22. Can I / is it possible, that if someone tries to SSH in on 22, a 'popup' or dialog is created via APM prompting them for credentials and their DUO token?

no, i don't believe you can just put something in the middle of a SSH session. you could put up a webtop that sets up an application tunnel for 22. but that requires a different workflow. AFM does provide a ssh proxy now, but that remains limited and doesn't add authentication methods as far as i can see. http://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.html

I have a solution around this but it's not quite public yet. Send me a PM and I can email you off forum if you're interested.

Super interested... I'll PM ASAP

there is a ssh profile to control ssh sessions, it is new in 12.1. Belongs to the AFM

Dear Bill, I'm having similar requirement of securing SSH access of an back end linux server using APM. Please let me know the email ID where I can contact you.

securing ssh with apm

15 Replies

boneyard
MVP
Aug 10, 2016
no, i don't believe you can just put something in the middle of a SSH session. you could put up a webtop that sets up an application tunnel for 22. but that requires a different workflow.

AFM does provide a ssh proxy now, but that remains limited and doesn't add authentication methods as far as i can see.

http://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.html
Bill_Church_988
Historic F5 Account
Aug 10, 2016
I have a solution around this but it's not quite public yet. Send me a PM and I can email you off forum if you're interested.
- kevin_flynn_180
  Nimbostratus
  Aug 10, 2016
  Super interested... I'll PM ASAP
- SanjayP
  Nacreous
  Nov 03, 2016
  Dear Bill,
  
  I'm having similar requirement of securing SSH access of an back end linux server using APM. Please let me know the email ID where I can contact you.
- Stan_Ward
  Altocumulus
  Sep 19, 2017
  Bill, I have the same requirement. Has anything been published, or can you tell me how to contact you?
  
  Thanks,
  
  Stan
Stephan_Mierau
Employee
Aug 11, 2016
there is a ssh profile to control ssh sessions, it is new in 12.1. Belongs to the AFM
Ian_Støttrup
Nimbostratus
Sep 20, 2017
I just got SSHproxy with AFM working. E.g. SCP upload/download can now be blocked to/from my backend server. I presume it is something like that you want, so take a look at AFM SSHproxy.

https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/13.html
Carlos_Alperin
Nimbostratus
Aug 22, 2018
Is this item already public? I need to deploy exactly this, but I have no info to PM Bill
Informatica_CHJ
Nimbostratus
Dec 03, 2019
ill, I have the same requirement. Has anything been published, or can you tell me how to contact you?

Thanks,

Stan