This article describes how to process a brute force attack on SSL VPN login attempts with random users/unknown users and how to protect from SSL VPN brute-force logins.

The attacker is trying to use a dynamic IP address and random admin user account to login via SSL VPN.

Solution

In this situation, process as follows:

1. Use strong passwords for all accounts: This includes password rules like in this example:

• Passwords must have a minimum length of 12 characters.
• Passwords must contain numbers.
• Passwords must contain special characters.
• Passwords must contain upper '-' and lowercase letters.
• Passwords must have an age below 8 weeks.
  
  

2. Implement Two-factor authentication for all accounts: Two-factor authentication prevents an attacker from being able to log in to an account only with a username and password.With the third factor, the attacker needs access to additional information like the smartphone (in case of push token) or a 6-digit number (in case of mobile or hardware Tokens).

Related documents:

Set up FortiToken two-factor authentication

Technical Tip: Email Two-Factor Authentication on FortiGate

3. Ensure, that admin users have no access to the SSL-VPN portal.It is recommended to differentiate user accounts that are allowed to access VPN solutions and administrative accounts that are only allowed to access the administrative interfaces. 
4. Change the listening Port for the SSL-VPN portal. Using another port is an easy but effective measurement if an attacker is only probing the default port of an application.Do not forget to change the port on all VPN clients too. Otherwise, the connection will break.

Related document:

Configuring the SSL VPN tunnel

5. Limit the count of failed login attempts until the user is banned.There is a KB article regarding the implementation of a login limit for SSL-VPN: Technical Tip: How to limit SSL VPN login attempts and block duration
6.  Restrict the source IP address area. If users only need access to the SSL-VPN portal from a specific source address or range, it is possible to limit the allowed source addresses to those addresses and also restrict users based on country or geography addresses.
7. Disable Web Mode: If there is no use for the web portal, it is recommended to disable it and add a blank replacement message: Technical Tip: How to create a blank page for SSL VPN Portal with replacement messages.
   To look at the source of the attacks (Web Mode), navigate to the following:
   

   Filter by action="ssl-login-fail" tunneltype="ssl-web" Log & Report -> System Events -> VPN Events.

8. If there are no requirements for a specific authentication mechanism such as LDAP/Radius/Local authentication, do not include these users/groups within SSLVPN settings as it prevents servers from being contacted. 
9. Use custom web portal with web mode and tunnel mode disable for default portal.
   See Technical Tip: How to disable SSL VPN Web Mode or Tunnel Mode in SSL VPN portal
10. To prevent attempts locking out user account on remote authentication server, use SSLVPN realm : Technical Tip: Prevent SSL VPN login attempts from locking out user accounts on a remote authenticat... 

Note:

Creating an authentication rule or local-in policy to restrict SS LVPN connections will help to reduce the login and failed attempts seen under Log & Reports -> System Events -> VPN events.

Related articles:

Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr....

Technical Tip: Restricting/Allowing access to the FortiGate SSL-VPN from specific countries or IP ad....