Skip to main content
mehdi_ouazaa
mehdi_ouazaa
New Member
July 26, 2018
Solved

Multiple ssh auth with different username

  • July 26, 2018
  • 2 replies
  • 5626 views

Hi all,

 

On systems events I discovered that there is a lot of ssh auth failed attempts with different usernames and from different ips from all over the world. for me it smells like some one/script is trying to access my fortgate.

 

Could you please advice on better actions to take

    Best answer by emnoc

    you have a few items to lookat

     

    ssh-pub-key ( just build a strong password  but enforce the ssh pub key )

    http://socpuppet.blogspot...ess-login-fortios.html

     

    GEOIP block the  external interface ( e.g I use a local-in policy and block any thing outside of the USA )

    https://forum.fortinet.com/tm.aspx?m=136899

     

    change the SSH ports

    http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

     

    disable  ssh on the wan and force your admins to  sshin and then use  allowaccess ssh in the ssl.root interface

    http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

     

    Or use a MFA access for any admins, this would be the best along with the aboves.

     

     

    Ken

     

    2 replies

    mhe
    mhe
    Explorer II
    July 26, 2018

    Why don't you disable SSH on the external interface??

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    July 26, 2018

    If it's not super critical then disable SSH from outside as mhe mentioned.

    If not possible then change default port to some other less obvious/predictable.

    You can also utilize trusted hosts so SSH will not respond to anyone outside allowed ranges/IPs.

     

    And obviously, have strong passwords for admins.

    emnoc
    emnocAnswer
    New Member
    July 26, 2018

    you have a few items to lookat

     

    ssh-pub-key ( just build a strong password  but enforce the ssh pub key )

    http://socpuppet.blogspot...ess-login-fortios.html

     

    GEOIP block the  external interface ( e.g I use a local-in policy and block any thing outside of the USA )

    https://forum.fortinet.com/tm.aspx?m=136899

     

    change the SSH ports

    http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

     

    disable  ssh on the wan and force your admins to  sshin and then use  allowaccess ssh in the ssl.root interface

    http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

     

    Or use a MFA access for any admins, this would be the best along with the aboves.

     

     

    Ken

     

    mehdi_ouazaa
    mehdi_ouazaaAuthor
    New Member
    July 27, 2018

    Thank you guys,

     

    I will think to all of this and tell you what I've done

    Terms & ConditionsAccessibility statement