Skip to main content
moreira00
moreira00
New Member
July 14, 2021
Question

Block IP to Black List after SSH Failed Login Attempts

  • July 14, 2021
  • 2 replies
  • 11878 views

Good afternoon,

 

I'm receiving several attempts to attack my ssh service, I would like to know how I can block by IP to blacklist after 3 wrong attempts.

 

Message meets Alert condition

The following critical firewall event was detected: Admin login failed.

date=2021-07-12 time=22:58:34 devname=XXXXXXXXXXXX devid=XXXXXXXXXXX logid="XXXXXX" type="event" subtype="system" level="alert" vd="root" eventtime=XXXXXXXtz="+0100" logdesc="Admin login failed" sn="0" user="XXXXXXXXXXXX" ui="ssh(XXXXXXX)" method="ssh" action="login" status="failed" srcip=XXXXXXXXX dstip=XXXXXXXXX reason="passwd_invalid" msg="Administrator admin login failed from ssh(XXXXXXXXXX ) because of invalid password" 

 

Someone can help me?

Thks

    2 replies

    emnoc
    emnoc
    New Member
    July 14, 2021

    So this is a login to system admin, just define your fail login attempts and set an extreme long lockout.

     

    Also if this is a common username like "admin" or "administrator" do NOT use these. You can delete "admin" account from the fortios cfg by creating a new admin with super-user  then logging in with new user and rename "admin" and delete "admin"

     

    http://socpuppet.blogspot...ate-admin-account.html

     

    And lastly , do not use port 22 for ssh and a untrust service.

     

    here's what we do;

     

    config sys global

        set admin-login-max 100

        set admin-lockout-duration 2147483647

        set admin-lockout-threshold 10

        set admin-scp enable

        set admin-server-cert "vpn1"

        set admin-ssh-port 2022

    end

     

    Other actions you can do;

     

    Ensure you have trust host sets and use MFA for logins.

     

    Ken Felix

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 14, 2021

    FYI: at least with 6.2 or later, you can delete the user name "admin" without renaming it.

    HarshChavda
    Staff
    HarshChavda
    Staff
    September 14, 2023

    Hello @moreira00 ,

     

    You can configure an "anomaly detection" sensor and apply it to the security policy that allows SSH traffic. Within the anomaly sensor, you can define the parameters to consider an SSH brute force attack and take actions like blocking the IP. FortiGate's Intrusion Prevention System (IPS) includes predefined signatures to detect SSH brute-force attacks. Apply the IPS sensor to the security policy controlling your SSH access. Manually add offending IP addresses to an address object and set it to be "blocked" in the appropriate policy. This approach is not dynamic but can be useful for known malicious IP addresses. You can also set up a DoS policy to limit the number of SSH connections per second from an IP address. 

     

    For Anamoly Detection,  Configure the sensor to detect SSH brute force attempts. You may set the threshold for the number of attempts and the action to take when the threshold is exceeded. Apply this sensor to the security policy that controls SSH access.  For IPS sensor, Under IPS Sensors, edit the sensor applied to your SSH policy or create a new one. Enable the signatures related to SSH brute-force attacks. Apply the IPS sensor to the security policy that allows SSH access. Create a new DoS policy where the service is set to SSH. Set the Action to Rate Limit and define the maximum allowable rate.

     

     

     

      Terms & ConditionsAccessibility statement