FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mturic
Staff
Staff
Article Id 192015

Description

 

This article describes that a brute force attempt (or attack) to the administrator account login is diagnosed by the following logs events, seen repetitively and/or in quantity (assuming Event log and Admin events are enabled):

 

Administrator root login failed from ssh(xxx.xxx.xxx.xxx) because of invalid user name.

 

After a few failed log messages the following message will be seen:

 

Login disabled from IP xxxx for 60 seconds because of too many bad attempts.

 

In most cases, these logon attempts are generated by automatic hacker tools running on many compromised computers and scanning for live SSH targets to exploit known vulnerabilities or/and perform password brute force.

This article describes how to avoid this.

 

Scope

 

FortiGate.

Solution

 

  1. Set Trusted hosts to allow connection only from known and trusted IP addresses.

    From the GUI, go to System -> Administrators, edit the required account, and set trusted hosts (can be a single host or a whole subnet, that are allowed to connect to the FortiGate).

 
Note that if only one administrator account does not have trusted hosts set, FortiGate will allow access to the admin resources (HTTP/S, SSH) from all IP addresses.
In this case, it will only limit the other admins with set trusted hosts to access from those hosts.
 
  1. Change the SSH and HTTPS ports from the default (22 and 443) to different higher ports.

    From the GUI, go to System -> Settings, and edit the SSH port (set for example to 2202) and HTTPS port (set for example to 10500).
     
     
  2. Increase the lockout time to deter the less patient.

    From CLI.

    config system global
        set admin-lockout-duration 600         <----- Default value is 60 seconds.
    end

  3. Use long and complex passwords.

    Do not use dictionary words and trivial key combinations such as 'qwerty'.
    Force strong admin passwords by setting password policy from System- > Settings -> Password Policy.
     
     
     
  4. Remove the account named 'admin' after having created other account(s) with a super_admin profile.
     
  5. Configure local-in policy to block administrative access from attackers or malicious IPs trying to get into the FortiGate. To configure the local-in policy, follow the steps from the below link:
     
  6. Implement Two-Factor Authentication to add an extra layer of security by requiring a second form of authentication. Follow the steps from the below link: Technical Tip: How to activate FortiToken manually for admin account.

Related articles:

Technical Tip: How to delete or rename the default 'admin' user

Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access ... 

Technical Tip: System administrator best practices