Block Sources by origin ISP for VPN - Skimmer bots locking out accounts.

Question

Is there a way to block sources by their ISP name?

We have an issue with skimmer bots attempting authenticate against our VPN server, constantly locking out accounts that we use. Even though these accounts don't have VPN access, the FortiGate still passes through the login attempt to the DC.

We already have connections geo-blocked, but the geo-block feature is useless now that foreign bots just use a VPN service to tunnel into the U.S. before attacking our firewall.

Grabbing the IP addresses from the logs and running a geo-lookup on them, I found that all of them are coming from different VPN providers.

Blocking these by the ISP name or even whitelisting certain ISPs should fix this issue if it's possible on FortiGates.

I'm using a FortiGate 100E.

Thanks for any help with this.

AEK · Answer

I don't know a way to achieve exactly what you are looking for but here are some ideas that can be useful:SSL VPN is not recommended anymore, so try to migrate to IPsecIn case you must use SSL VPN, make sure your FG is not at a vulnerable version. Keep it always patched to avoid the known SSL VPN vulnerabilitiesUse a high port for your SSL VPN (above 20000), since scan bots don't scan more than few thousands ports in order to save time and resourcesUse strong passwords and MFAAuto-block source IP after 3 unsuccessful attempts

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded