Description
This article describes that a brute force attempt (or attack) to the administrator account login is diagnosed by the following logs events, seen repetitively and/or in quantity (assuming Event log and Admin events are enabled):
Administrator root login failed from ssh(xxx.xxx.xxx.xxx) because of invalid user name.
After a few failed log messages, the following message will be seen:
Login disabled from IP xxxx for 60 seconds because of too many bad attempts.
In most cases, these logon attempts are generated by automatic hacker tools running on many compromised computers and scanning for live SSH targets to exploit known vulnerabilities or/and perform password brute force.
This article describes how to avoid this.
Scope
FortiGate.
Solution
- Set Trusted hosts to allow connection only from known and trusted IP addresses.
From the GUI, go to System -> Administrators, edit the required account, and set trusted hosts (can be a single host or a whole subnet) that are allowed to connect to the FortiGate.
Note that if only one administrator account does not have trusted hosts set, FortiGate will allow access to the admin resources (HTTP/S, SSH) from all IP addresses.
In this case, it will only limit the other admins with set trusted hosts to access from those hosts.
Note: It is not possible to configure Trusted Hosts on SSO Admin accounts directly. The option does not exist in the FortiGate GUI, nor is it available in the CLI for any kind of SSO Administrator account (SAML-based SSO, FortiCloud SSO, FortiGate Cloud SSO, etc.). See Technical Tip: How Trusted Hosts work with SSO Admin accounts on the FortiGate.
-
Change the SSH and HTTPS ports from the default (22 and 443) to different higher ports.
From the GUI, go to System -> Settings, and edit the SSH port (set for example to 2202) and HTTPS port (set for example to 10500).
-
Increase the lockout time to deter fewer patients.
From CLI.
config system global
set admin-lockout-duration 600 <----- Default value is 60 seconds.
end
set admin-lockout-duration 600 <----- Default value is 60 seconds.
end
-
Use long and complex passwords.
Do not use dictionary words and trivial key combinations such as 'qwerty'.
Force strong admin passwords by setting the password policy from System -> Settings -> Password Policy.
-
Remove the account named 'admin' after having created other account(s) with a super_admin profile.
-
Configure the local-in policy to block administrative access from attackers or malicious IPs trying to get into the FortiGate. To configure the local-in policy, follow the steps in Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access ....
If admin access is limited strictly to the LAN interface, admin logins will still appear in the Security Event logs.
The local-in policy for the external interface is defined as follows:
config firewall local-in-policy
edit 1
set intf wan1
set srcaddr all
set dstaddr all
set action deny
set service HTTPS HTTP SSH
next
end
Note: Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this KB article: Technical Tip: Creating a Local-In policy (IPv4 and IPv6).
This will allow access only from within the network.
-
Implement Two-Factor Authentication to add an extra layer of security by requiring a second form of authentication. Follow the steps from this KB article: Technical Tip: How to activate FortiToken manually for admin account.
Related articles:
Technical Tip: How to delete or rename the default 'admin' user
Technical Tip: System administrator best practices
Technical Tip: Recommendations and common scenarios for Administrator access on FortiGate
