Description
This article describes that a brute force attempt (or attack) to the administrator account login may be diagnosed by the following logs events, seen repetitively and/or in quantity (assuming Event log and Admin events are enabled) :
Administrator root login failed from ssh(xxx.xxx.xxx.xxx) because of invalid user name
After a few failed log messages the following message will be seen:
Login disabled from IP xxxx for 60 seconds because of too many bad attempts
In most cases, these logon attempts are generated by automatic hacker tools running on many compromised computers and scanning for live SSH targets to exploit known vulnerabilities or/and perform password brute force.
This article provides some tips as to how to avoid this.
Scope
FortiGate.
Solution
- Set Trusted Hosts to allow connection only from known and trusted IP addresses
From the GUI, go to System -> Administrators -> Edit the required account and set Trusted Hosts (could be a single host or a whole subnet, that is allowed to connect to the FortiGate). - Change the SSH port from the default (22) to another port.
From the GUI, go to System -> Settings -> Edit SSH port (set for example to 2223).
-
Increase the lockout time to deter the less patient.
Run from the CLI:
config system global
set admin-lockout-duration 600
end
(Default value is 60 seconds).
-
Use long and complex passwords.
Do not use dictionary words and trivial key combinations such as 'qwerty'.
Force strong admin passwords by setting password policy from System -> Settings -> Password Policy. -
Remove the account named 'admin' after having created other account(s) with a super_admin profile.
Related article:
