Vulnerability scanner not able to scan F5 LTM

Question

Hi All,&nbsp;
We are trying to run vulnerability scan on F5 LTM using McAfee vulnerability scanner on port 22 of LTM management IP. But the team is saying there scanner is not able to login to LTM although they are able to login using the same account when they ssh. The tacacs is already configured. Any suggestion? For to do vulnerability scan do we need to scan another port or how you guys are using in your environment? &nbsp;

max_q_factor · Answer

Based on this McAfee KB Minimum permissions required to run Shell Module vulnerability checks in Vulnerability Manager I beleive you need to ensure that the account used by TACACS is not set to use the tmsh shell, but is set to use "advanced shell" or "bash".  &nbsp;
SOL12029: Accessing the Traffic Management Shell  &nbsp;
This may be difficult inc certain versions of F5 with a TACACS group user, distributed auth group users are not allowed to have "advanced shell". I would ensure that the TACACS user is a named account, with administrative rights and verify you can change the terminal access to "advanced shell" or "bash"&nbsp;

amit585731 · Answer

Hi AWS,

Thanks for response. I am able to login to LTM shell using mvm scanner id but while running scan it is showing not able to login to device. below is the log I am seeing on log and secure file:

ltm file log
May 13 16:44:03 Internal info sshd[31179]: Bad protocol version identification '\200\200\001\003\001' from UNKNOWN
May 13 16:44:03 Internal info sshd[31182]: Did not receive identification string from &lt;&gt;
May 13 16:44:03 Internal info sshd[31183]: Bad protocol version identification 'GET / HTTP/1.0' from UNKNOWN
May 13 16:44:03 Internal info sshd[31188]: Did not receive identification string from &lt;&gt;
May 13 16:44:11 Internal info sshd[31197]: Did not receive identification string from &lt;&gt;
May 13 16:44:20 Internal info sshd[31207]: Accepted keyboard-interactive/pam for  from &lt;&gt; port 12033 ssh2
May 13 16:44:38 Internal info sshd[31231]: Accepted keyboard-interactive/pam for  from &lt;&gt; port 12058 ssh2
May 13 16:47:55 Internal err sshd[31390]: error: PAM: Authentication failure for root from 
May 13 16:48:00 Internal info sshd[31437]: Bad protocol version identification '\200\200\001\003\001' from UNKNOWN
May 13 16:48:00 Internal info sshd[31440]: Did not receive identification string from &lt;&gt;
May 13 16:48:00 Internal info sshd[31441]: Bad protocol version identification 'GET / HTTP/1.0' from UNKNOWN
May 13 16:48:00 Internal info sshd[31446]: Did not receive identification string from &lt;&gt;
May 13 16:48:08 Internal info sshd[31393]: Connection closed by 
May 13 16:48:08 Internal info sshd[31474]: Did not receive identification string from &lt;&gt;
May 13 16:48:17 Internal info sshd[31483]: Accepted keyboard-interactive/pam for  from &lt;&gt; port 12114 ssh2

secure file log

May 13 16:48:28 Internal info sshd(pam_audit)[31483]: 01070417:6: AUDIT - user  - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:48:17 2015" end="Wed May 13 16:48:28 2015".
May 13 16:48:36 Internal alert sshd[31538]: pam_unix(sshd:account): could not identify user (from getpwnam())
May 13 16:48:36 Internal info sshd(pam_audit)[31533]: user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:48:36 2015".
May 13 16:48:36 Internal info sshd(pam_audit)[31533]: 01070417:6: AUDIT - user  - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:48:36 2015".
May 13 16:48:47 Internal info sshd(pam_audit)[31533]: user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:48:36 2015" end="Wed May 13 16:48:47 2015".
May 13 16:48:47 Internal info sshd(pam_audit)[31533]: 01070417:6: AUDIT - user  - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:48:36 2015" end="Wed May 13 16:48:47 2015".
May 13 16:51:14 Internal alert sshd[31756]: pam_unix(sshd:account): could not identify user (from getpwnam())
May 13 16:51:15 Internal info sshd(pam_audit)[31752]: user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:15 2015".
May 13 16:51:15 Internal info sshd(pam_audit)[31752]: 01070417:6: AUDIT - user  - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:15 2015".
May 13 16:51:26 Internal info sshd(pam_audit)[31752]: user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:15 2015" end="Wed May 13 16:51:26 2015".
May 13 16:51:26 Internal info sshd(pam_audit)[31752]: 01070417:6: AUDIT - user  - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:15 2015" end="Wed May 13 16:51:26 2015".
May 13 16:51:33 Internal alert sshd[31779]: pam_unix(sshd:account): could not identify user (from getpwnam())
May 13 16:51:33 Internal info sshd(pam_audit)[31775]: user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:33 2015".
May 13 16:51:33 Internal info sshd(pam_audit)[31775]: 01070417:6: AUDIT - user  - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:33 2015".
May 13 16:51:44 Internal info sshd(pam_audit)[31775]: user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:33 2015" end="Wed May 13 16:51:44 2015".
May 13 16:51:44 Internal info sshd(pam_audit)[31775]: 01070417:6: AUDIT - user  - RAW: sshd(pam_audit): user=() partition=[All] level=Administrator tty=ssh host=&lt;&gt; attempts=1 start="Wed May 13 16:51:33 2015" end="Wed May 13 16:51:44 2015".

max_q_factor · Answer

I can't tell from that log file what sheel the AUDIT user is assigned to. Can you verify what version of BIG-IP TMOS you are running as well as the shell assigned to the AUDIT user?

Forum Discussion

Vulnerability scanner not able to scan F5 LTM

3 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two

SteganoAmor, Fake IP Scanner, MITRE Corporation Breach - April 14-20, 2024 - This Week in Security

Automagic Vulnerability Scanner Integration: Cenzic Style!

OWASP Automated Threats - OAT-014 Vulnerability Scanning