What's the best way to block external SSH Attacks

Forum|Forum|8 years ago
July 6, 2017
2 replies
9882 views

We have a lot of Attacks report against our FORTIGATE 90D.

What's correct to do in that case? turning off service SSH? create rules to block a list of suspect IPs?

Thank in advance for any sugest or information, I attached a example of report

CapturarSSHFortinet.JPG

emnoc

New Member

1: don't use port 22

2: enable two-factor

3: use SSLVPN and then allowaccess ssh for ssl.root this will force the admin to come in via ssl and then you trust that ssl.pool address over the ssl.root interface

4: use trusthost

http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

As long as you have tcp.port 22 open and no trusthost, you will ALWAYS have failed logins for the common accounts

dirceualbrechtAuthor

New Member

thanks for replying me!

I go try your suggestions and post the result

Best regards

Zac67

New Member

If you don't really require SSH on WAN just deactivate it. If you do need it you should at least restrict login to those subnets you need to allow access.

emnoc

New Member

1> I would never run tcp.port 22 for SSH on a public-internet

2> if you look at the screenshot these same useracounts are always going to show up ( root admin Admin administrator support etc....

3> deploying ssh access over tcp.port 2022 for example, would reduce or eliminate this issue

4> deploying a SSH portal access ( they have to login via SSLvpn ) and then allowaccess over the ssl.root interface is even more better imho

Ken

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded