Fortigate SSH Brute Force Attacks

Forum|Forum|7 years ago
October 8, 2018
1 reply
7768 views

I've been googling this without finding an answer. Is there a mechanism in the Fortigate firewall to block an IP after a certain number of failed ssh attempts on the firewall itself? Something like what fail2ban provides?

I wish to keep ssh access available on the wan IP. I've tried changing the port a few times, but the attackers are using distributed port scans to find the ssh port. I currently block an IP for 6 months after 50 ports have been scanned or an icmp sweep of 8 or more IPs.

The web auth allows timeouts and number of failed attempts before lockout. Is there any setting like for for SSH? How about only allowing SSH login with keys and no passwords?

I know about trusted hosts and I'd rather not do that if necessary.

makco10

Explorer II

Hello,

You can use a private certificate:

https://forum.fortinet.com/tm.aspx?m=151154

Regards.

RyushinAuthor

New Member

Maybe I missed it, but I did not see the configuration to disable password ssh auth. I'm currently using SSH keys for myself, but the less advanced users will have a hard time using a ssh key, and I'm not sure I particularly trust them logging in without a password.

So no real way to rate limit the ssh connection attempts. Say after five failed attempts, disable ssh access from that IP for a certain number of minutes.

makco10

Explorer II

I think for security reason is not possible.

Other option is that you change the default port configurations for SSH administrative access for added security.

config system global

set admin—ssh—port 2345

end

https://docs.fortinet.com/uploaded/files/3624/fortigate-hardening-your-fortigate-56.pdf

Page 17

Important note: If you change to the HTTPS or SSH port numbers, make sure your changes do not conflict with ports used for other services.

Regards.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded