SSH Attack on Fortigate

Forum|Forum|18 years ago
April 9, 2008
3 replies
2747 views

Morning all... I manage a fortigate that some one is trying to login in to Via SSH this is the event I get Message meets Alert condition The following critical firewall event was detected: Critical Event. 2008-04-09 02:40:34 device_id=FGT-********* log_id=0104032002 type=event subtype=admin pri=alert vd=root user=" test" ui=ssh(***.***.***.***) action=login status=failed reason=" name_invalid" msg=" Administrator test login failed from ssh(***.***.***.***) because of invalid user name" How do I stop this... I know the obvious answer is to take SSH off of the WAN1 port...but I have a Fortimanager at a different location and that is how they Communicate VIA SSH. I tried to create a policy that basically said only allow ssh access from My Fortianalyzer. I thought about just blocking the IP, but everyday the attack comes from a different IP. Any Ideas?? for now I just disable ssh on WAN1 for a Temp fix.

rwpatterson

New Member

You could build a tunnel between the two sites, and then use the IP on the inside interface for the Fortimanager. This would obsolete the need to keep ssh open to the outside world.

abelio

SuperUser

Administrative access to your FTG box it' s not controlled for your WAN->internal firewall policies. To control from where your FTGbox you or somebody can access (SSH, HTTPS, PING or whatever), restrict " Trusted Hosts" (System->Admin->Administrators menu)

A

Anonymous_UserAuthor

Contributor

Thanks for the ideas guys!!!!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded