Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AndrHann
New Contributor III

Created on ‎07-16-2017 01:02 PM

SQL Injection attacks

I have a client with a website behind a FortiGate 60D. I have IPS enabled in the inbound HTTP VIP and get alerted any time an external attack is detected. The last four days there is been an increasing number of  HTTP.URI.SQL.Injection attempts. I came back to work today after the weekend and there were dozens of emails all containing multiple intrusion attempts. Most of these attempts are from a couple of IP addresses in Russia and Poland. I'm wondering if there is a way to create a blacklist of IP addresses and block particular IP addresses. I tried creating a topmost rule to block IP addresses but it doesn't work which I assume is due to the VIP rules. Any ideas how I can outright block Internet IP addresses from accessing my VIPs?

Andre

Labels:
664
0 Kudos
1 Solution
mithrandir29
New Contributor

Created on ‎07-17-2017 03:45 AM

Hi Andre,

You can create a policy on top of all policies, where the destination is
all VIP and the source all ip's that we want to block, something like that:



You can create an Geography object to block all the ip's of a country
and use this object in the source policy:



With this we already block ip's with VIP but may be an opportunity to
sell a FortiWeb.

Regards!!

Bernardo



On 07/16/2017 05:02 PM, Andre Hannah via Application Security/WAF: wrote:
>
> I have a client with a website behind a FortiGate 60D. I have IPS
> enabled in the inbound HTTP VIP and get alerted any time an external
> attack is detected. The last four days there is been an increasing
> number of HTTP.URI.SQL.Injection attempts. I came back to work today
> after the weekend and there were dozens of emails all containing
> multiple intrusion attempts. Most of these attempts are from a couple
> of IP addresses in Russia and Poland. I'm wondering if there is a way
> to create a blacklist of IP addresses and block particular IP
> addresses. I tried creating a topmost rule to block IP addresses but
> it doesn't work which I assume is due to the VIP rules. Any ideas how
> I can outright block Internet IP addresses from accessing my VIPs?
>
> Andre
>
>
> -----End Original Message-----

View solution in original post

Preview file
34 KB
Preview file
84 KB
657
0 Kudos
4 REPLIES 4
mithrandir29
New Contributor

Created on ‎07-17-2017 03:45 AM

Hi Andre,

You can create a policy on top of all policies, where the destination is
all VIP and the source all ip's that we want to block, something like that:



You can create an Geography object to block all the ip's of a country
and use this object in the source policy:



With this we already block ip's with VIP but may be an opportunity to
sell a FortiWeb.

Regards!!

Bernardo



On 07/16/2017 05:02 PM, Andre Hannah via Application Security/WAF: wrote:
>
> I have a client with a website behind a FortiGate 60D. I have IPS
> enabled in the inbound HTTP VIP and get alerted any time an external
> attack is detected. The last four days there is been an increasing
> number of HTTP.URI.SQL.Injection attempts. I came back to work today
> after the weekend and there were dozens of emails all containing
> multiple intrusion attempts. Most of these attempts are from a couple
> of IP addresses in Russia and Poland. I'm wondering if there is a way
> to create a blacklist of IP addresses and block particular IP
> addresses. I tried creating a topmost rule to block IP addresses but
> it doesn't work which I assume is due to the VIP rules. Any ideas how
> I can outright block Internet IP addresses from accessing my VIPs?
>
> Andre
>
>
> -----End Original Message-----

Preview file
34 KB
Preview file
84 KB
658
0 Kudos
AndrHann
New Contributor III
In response to mithrandir29

Created on ‎07-17-2017 12:08 PM

Thanks Bernardo

It's obvious now you point it out. I've just tested it and it's working well.

Thanks for your help.

Andre

657
0 Kudos
Vilela
New Contributor

Created on ‎07-17-2017 01:01 PM

You can also configure a blackhole for the IP of the attacker

config router static
edit 0
set blackhole enable
set comment "Threat-IP-Detect"
set distance 100
set dst XXX.XXX.XXX.XXX 255.255.255.255
next
end

 

Leandro Vilela

Brazil-Brasilia

Leandro Vilela Brasil
Leandro Vilela Brasil
657
0 Kudos
stephane_toupin
New Contributor

Created on ‎07-20-2017 02:51 AM

Hi, 

Another way to do it is to have your IPS profile quarantine the IP adress of the attacker. You can choose the individual action if the signature to you can set Quarantine for the injection. Juste be sure you don't have false positives because you will block legitimate traffic. Since IPS is not a WAF, it might have more false positives. Be carefull.

It is always a good thing to have you system kick out bad guys because maybe you catch this attack but the next one will pass and harm you. As soon as someone is playing with you, kick him out !

657
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.