Skip to main content
kinmun
kinmun
New Member
July 28, 2015
Question

Unauthorized user attempt

  • July 28, 2015
  • 5 replies
  • 25494 views

i noticed that there are quite a number of unauthorize user trying to gain access to my firewall.

other than removing ssh n https access, is there anything else i can do ?

    5 replies

    neonbit
    neonbit
    New Member
    July 28, 2015

    A few things I could recommend if you don't want to disable ssh/https access from your WAN port:

     

    1. Change the port numbers for HTTPS (443) and SSH (22) from the default ones

    2. Use 2 factor authentication for all the admin logins (the FortiGate comes with two free mobile tokens)

    3. If you know the IP address that you'll be connecting from for the admin access, then add these to the trusted hosts (configured under each administrator account)

    gschmitt
    gschmitt
    New Member
    July 28, 2015

    neonbit wrote:

    A few things I could recommend if you don't want to disable ssh/https access from your WAN port:

    Personally, I would only ever enable Administrative Access on your wan port temporarily. I rather use VPN to dial in to access the device

    nothingel
    nothingel
    New Member
    August 5, 2015

    I have used the restrict IP functionality of admin accounts and even changed ports but I grew tired of unknown people attempting to login anyway (using common names like "root"). Normally the IP restrictions would prohibit all untrusted IPs from even connecting but I always used a dummy user with no IP restrictions so that the administrative services would still be open because I wanted PING to work.  (I've often wished PING could be controlled separately from the other administrative services.)

     

    Presently, I've moved the administrative ports back to their defaults but use a local-in policy (CLI only) to first exempt trusted IPs followed by another policy to block all access to the administrative ports.  Now, nobody except trusted IPs can attempt connections via HTTPS or SSH but PING still works from anywhere.

     

    I wish local-in policies could be viewed from the GUI.  I don't care about editing as much as the ability for somebody else to have a clue what I've done.  I'm talking about 5.0.x here, FWIW.

     

    gschmitt
    gschmitt
    New Member
    August 5, 2015

    nothingel wrote:

    I wish local-in policies could be viewed from the GUI.  I don't care about editing as much as the ability for somebody else to have a clue what I've done.  I'm talking about 5.0.x here, FWIW.

    Uhm... they are? Go to System > Config > Features select Show more turn Local In Policy On and Apply

    nothingel
    nothingel
    New Member
    August 5, 2015

    gschmitt wrote:

    Uhm... they are? Go to System > Config > Features select Show more turn Local In Policy On and Apply

    Yes, you're right, but they don't show user-generated policies.  I should have more clearly stated this in my post.  The only thing I see are policies controlled by the system.  Again, this is in 5.0.x.

     

    HASimac
    HASimac
    New Member
    September 16, 2015

    Hello,

     

    I personally used the following method.

    First, I create an admin profile with NONE privilege.

    Next, a create a user 'called it PING' with the NONE profile and NO IP restriction (to allow ping from everywhere).

    Next, I limit the admin user to specific IP Range.

    The external user can still try to connect but even if they discover the PING password, no privilege will be granted...

     

    Regards,

     

    HA 

    sym
    sym
    New Member
    September 16, 2015

    HA wrote:

    First, I create an admin profile with NONE privilege.

    Next, a create a user 'called it PING' with the NONE profile and NO IP restriction (to allow ping from everywhere).

    Next, I limit the admin user to specific IP Range.

    The external user can still try to connect but even if they discover the PING password, no privilege will be granted...

     

    I tried that route as well, but I never want everyone to have an open port accessible. In this case, i would completely rely on the security functions of the device. What if the account login functionality got a flaw?

    emnoc
    emnoc
    New Member
    September 16, 2015

    I take the same approach as   HA but use a password characters of 20+ and with two-form authentication than allow that guys un-trust access.

     

    For basic admin access do like he stated, create a "NONE" profile ( he mention priv but is a profile with nothing allow ) and apply that to the ping user.

     

    Ken

     

     

     

    emnoc
    emnoc
    New Member
    September 16, 2015

    Valid points you have to analyze the risk. If you create a weird username and with a max password characters and then enable  two-factor, your risk of exposure is minimal.

     

    1st they person has to KNOW the account to enter any next step

     

    2nd they would need to know your long passsword

     

    3rd they would need to know the token

     

    That's alot of information the attacker could never acquire. In my case for the token I sent it to a nobody account.

     

    e.g

     

    nobody@nosuchdomain.com

     

    So when they are challenged &  if they managed to find steps #1 and #2 ( very highly unlikely btw ) they would never have the token since they are unaware of what the token is.

     

    It's like 110% fool-proof imho and allow you have a ping service for whoever need to ping you. Sinec I've used this approach that HA has mention and changing the ssh to port xx22 all of my unauthorized logins ssh  has been eliminate and I never had a  failed web login.

     

    And as what HA mention if they could get thru steps #1 #2 #3 , they have "NONE" privilege to do anything. Once again, this is like 10000000% fool-proof.

     

     

     

     

     

    Terms & ConditionsCookie settingsAccessibility statement