New Member

Solved

Only Allow SSH from certain country

Forum|Forum|6 years ago
October 11, 2019
2 replies
14197 views

Let say I have file ID.txt that contain Indonesia ip subnet

223.130.20.0/22 223.164.0.0/16 223.165.4.0/22 223.255.224.0/21

it contains 2700 ips

GOALS: 1. only allow SSH from those ID.txt

2. block those ips that from Indonesia that doing Brute Force ssh attack with 5x consecutive failure

QUESTIONS:

1. How to achieve that tq

6.2

Best answer by fernandezm_FTNT

There are a few ways to skin this cat. Depending on the version of FortiOS you are running. In 6.2 we introduced "Dynamic Address Lists" you can set up a web-server internally as an example and add the IP addresses you want to block. The Fortigate will pull the list of IP addresses from the server and create a dynamic address group you can use in your policies.

NOTE: 6.0 had a limited functionality feature where it ONLY worked in conjunction with DNS. That is, if 1.1.1.1 was a bad guy, and you opened your browser and typed www.goodguy.com and the DNS server responded with 1.1.1.1, it would block it, however if you opened your browser and typed [link]http://1.1.1.1[/link] it would allow you to go.

Also noteworthy, if you are using 'Central NAT' you do not have to worry, however if you are using policy NAT and using the vip as the destination IP in your policy, you will need to create a policy containing the all the VIPs you want to protect from the geo list or 'set match-vip enabled'

Check out an article I wrote on both the Dynamic Address Objects and the VIP Issue. As well as a geo script to add all countries

ede_pfau

SuperUser

1. create an address object for each IP

2. create address group(s) (a group may only hold a certain number of addresses, or other groups)

3. create a local-in policy, allowing this address group as source, service=SSH

Look here https://www.beneicke-edv.de/support/tools/ for a python script I wrote for exactly this task. The page is in English.

nbctcpAuthor

New Member

GOALS 1. ANSWERED BY YOU

config firewall address edit "GEO_ID" set uuid 992c53f4-ec74-51e9-b083-6714337c388e set type geography set country "ID" next edit "GEO_SG" set uuid afcffba6-ec74-51e9-f22b-25a40302a11f set type geography set country "SG" next end config firewall addrgrp edit "GEO_ALL" set uuid c60f7964-ec74-51e9-05e0-0d79566490db set member "GEO_ID" "GEO_SG" next end 2. Is there a log that shown SSH brute force attack to FortiGate. Or maybe, I should pump Forti log to external linux syslog and install logwatcher there. So that it can watch specific ssh login failure. then set a script something like this [link]https://forum.fortinet.com/tm.aspx?m=138845[/link]

ede_pfau wrote:
1. create an address object for each IP
2. create address group(s) (a group may only hold a certain number of addresses, or other groups)
3. create a local-in policy, allowing this address group as source, service=SSH

Look here https://www.beneicke-edv.de/support/tools/ for a python script I wrote for exactly this task. The page is in English.

emnoc

New Member

Also, you can change the service-port to something not tcp.port 22, that will eliminate 99% of any ssh login password attacks. Also eliminate the default admin account from the "config sys admin"

Ken felix

fernandezm_FTNTAnswer

Staff

There are a few ways to skin this cat. Depending on the version of FortiOS you are running. In 6.2 we introduced "Dynamic Address Lists" you can set up a web-server internally as an example and add the IP addresses you want to block. The Fortigate will pull the list of IP addresses from the server and create a dynamic address group you can use in your policies.

NOTE: 6.0 had a limited functionality feature where it ONLY worked in conjunction with DNS. That is, if 1.1.1.1 was a bad guy, and you opened your browser and typed www.goodguy.com and the DNS server responded with 1.1.1.1, it would block it, however if you opened your browser and typed [link]http://1.1.1.1[/link] it would allow you to go.

Also noteworthy, if you are using 'Central NAT' you do not have to worry, however if you are using policy NAT and using the vip as the destination IP in your policy, you will need to create a policy containing the all the VIPs you want to protect from the geo list or 'set match-vip enabled'

Check out an article I wrote on both the Dynamic Address Objects and the VIP Issue. As well as a geo script to add all countries

nbctcpAuthor

New Member

This Dynamic Address Objects is interesting, but you said is block.

Let say I have 2000 ip's

What if I want ALLOW from those ip's to ssh to my fortigate

fernandezm@fortinet.com wrote:
There are a few ways to skin this cat. Depending on the version of FortiOS you are running. In 6.2 we introduced "Dynamic Address Lists" you can set up a web-server internally as an example and add the IP addresses you want to block. The Fortigate will pull the list of IP addresses from the server and create a dynamic address group you can use in your policies.

NOTE: 6.0 had a limited functionality feature where it ONLY worked in conjunction with DNS. That is, if 1.1.1.1 was a bad guy, and you opened your browser and typed www.goodguy.com and the DNS server responded with 1.1.1.1, it would block it, however if you opened your browser and typed http://1.1.1.1 it would allow you to go.

Also noteworthy, if you are using 'Central NAT' you do not have to worry, however if you are using policy NAT and using the vip as the destination IP in your policy, you will need to create a policy containing the all the VIPs you want to protect from the geo list or 'set match-vip enabled'

Check out an article I wrote on both the Dynamic Address Objects and the VIP Issue. As well as a geo script to add all countries

fernandezm_FTNT

Staff

Yes absolutely. Allow or Block

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded