FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198009

A brute force attempt (or attack) to the administrator account login may be diagnosed by the following logs events, seen repetitively and/or in quantity (assuming Event log and Admin events are enabled) :

Administrator root login failed from ssh( because of invalid user name

...and after a few failed log messages the following message will be seen:

Login disabled from IP xxxx for 60 seconds because of too many bad attempts

In most cases these logon attempts are generated by automatic hacker tools running on many compromised computers and scanning for live ssh targets in order to exploit known vulnerabilities or/and perform password brute force.

This article provides some tips as to how to avoid this.


1. Set Trusted Hosts to allow connection only from known and trusted IP addresses

From the GUI, go to : System > Admin > Administrators > edit required account and set Trusted Hosts (could be a single host or a whole subnet, that are allowed to connect to the FortiGate )


2. Change the SSH port from the default (22) to another port

From the GUI, go to :  System > Admin > Settings > edit SSH port (set for example to 2223).


3. Increase the lockout time to deter the less patient

Run from the CLI:

config system global
set admin-lockout-duration 600
(Default value is 60 seconds)

4. Use long and complex passwords

Do not use dictionary words and trivial key combination such as 'qwerty'
Force strong admin passwords by setting password policy from System > Admin > Settings > Password Policy


5. Remove the account named "admin" after having created other account(s) with a super_admin profile.

See also the related article "Rename or disable an admin account"

Related Articles

Technical Tip: Rename or disable an admin account