Technical Tip: How to prevent brute force attempts to a FortiGate administrator account login
Description
This article describes that a brute force attempt (or attack) to the administrator account login is diagnosed by the following logs events, seen repetitively and/or in quantity (assuming Event log and Admin events are enabled):
Administrator root login failed from ssh(xxx.xxx.xxx.xxx) because of invalid user name.
After a few failed log messages, the following message will be seen:
Login disabled from IP xxxx for 60 seconds because of too many bad attempts.
In most cases, these logon attempts are generated by automatic hacker tools running on many compromised computers and scanning for live SSH targets to exploit known vulnerabilities and/or perform password brute force.
This article describes how to avoid this.
Scope
FortiGate.
Solution
- Set Trusted hosts to allow connection only from known and trusted IP addresses.
From the GUI, go to System -> Administrators, edit the required account, and set trusted hosts (can be a single host or a whole subnet) that are allowed to connect to the FortiGate.
- Change the SSH and HTTPS ports from the default (22 and 443) to different higher ports.
From the GUI, go to System -> Settings, and edit the SSH port (set for example to 2202) and HTTPS port (set for example to 10500).
- Increase the lockout time to deter fewer patients.
set admin-lockout-duration 600 <----- Default value is 60 seconds.
end
- Use long and complex passwords.
Do not use dictionary words and trivial key combinations such as 'qwerty'.
Force strong admin passwords by setting the password policy from System -> Settings -> Password Policy.
- Remove the account named 'admin' after having created other account(s) with a super_admin profile.
-
Configure the local-in policy to block administrative access from attackers or malicious IPs trying to get into the FortiGate. To configure the local-in policy, follow the steps in this article: Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access of FortiGate.
If admin access is limited strictly to the LAN interface, admin logins will still appear in the Security Event logs.
The local-in policy for the external interface is defined as follows:
config firewall local-in-policy
edit 1
set intf wan1
set srcaddr all
set dstaddr all
set action deny
set service HTTPS HTTP SSH
next
end
 
Note: Starting with FortiOS v7.6.0, the local-in policy can also be configured in the GUI. Refer to this KB article: Technical Tip: Creating a Local-In policy (IPv4 and IPv6).
Starting with FortiOS v7.4.4+, local‑in policies can leverage the Internet Service Database (ISDB) to block traffic from known malicious sources. This includes botnet infrastructure, phishing hosts, anonymous VPN providers, proxy services, Tor nodes, and bulletproof hosting providers: Technical Tip: Local-in policy using ISDB as a source address.
This will allow access only from within the network.
-
Implement Two-Factor Authentication to add an extra layer of security by requiring a second form of authentication. Follow the steps outlined in Technical Tip: How to activate FortiToken manually for admin account.
- Enable only administrative access on the interface/s that a legitimate administrator will access. Disable administrative access for the rest. Refer to Technical Tip: How to configure administrative access on a FortiGate interface.
Note: If possible, it is highly recommended to disable any access from the public-facing interface, as this is where most brute-force attempts are executed.
Related articles:
- Technical Tip: How to delete or rename the default 'admin' user
- Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access of FortiGate
- Technical Tip: System administrator best practices
- Technical Tip: Recommendations and common scenarios for Administrator access on FortiGate
- Technical Tip: Block FortiGate Administrator Login with an automation stitch in the event of 3 consecutive failed login attempts (logid 32021)