aplovich_252762
Aug 19, 2016Nimbostratus
Question on using STREAM to detect login failures
We use our F5 to load-balance exchange (IMAP, POP3, SMTP, ActiveSync), however since we're using SNAT, our exchange servers report login failures that associate the F5's SNAT IPs with the failing user (not helpful). We'd like to know the which user is failing logins, and from what IP.
The easiest solution seems to be switching to a 2-armed network, with the F5s as the gateway. However the current design is entrenched, so we can't make this change.
After some searching I found out about the STREAM:: irule expression, and figured I could use this to log when an email client fails authentication.
Thinking the workflow would work like so:
- CLIENT_CONNECTED, start STREAM and search for a specific login string (IE imap "a1 LOGIN USERNAME").
- once found, stash the USERNAME in a variable.
- SERVER_CONNECTED, stream is already enabled? so search for a specific deny message from the server.
- if the deny message is found, log the client::IP, USERNAME, and protocol (smtp, imap, ect) to syslog.
- disable the stream to ensure it stops using resources.
Questions:
- Once enabled, does STREAM search both sides (client/server) of the TCP connection?
- Do I need to make two STREAM::expression statements? one in CLIENT_CONNECTED and another in SERVER_CONNECTED, or should I just specify one statement with both the LOGIN and auth failure strings?
- Does anybody have any thoughts on doing it this way?