FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mpeddalla
Staff
Staff
Article Id 224096
Description

This article describes how to process when there is brute force attack on SSL-VPN login attempts with random users/unknown users and how to protect from SSL-VPN brute-force logins.

Attacker is trying to use dynamic IP address and random admin user account to login via SSL-VPN.

Scope FortiGate.
Solution

In this situation, process as below:

 

  1. Use strong passwords for all accounts: This includes password rules like in this example:

 

  • Passwords must have a minimum length of 12 characters.
  • Passwords must contain numbers.
  • Passwords must contain special characters.
  • Passwords must contain upper '-' and lowercase letters.
  • Passwords must have an age below 8 weeks.

 

  1. Implement Two-factor authentication for all accounts: Two-factor authentication prevents an attacker from being able to log in to an account only with a username and password.With the third factor, the attacker needs access to additional information like the smartphone (in case of push token) or a 6-digit number (in case of mobile or hardware Tokens).

 

Related documents:

Set up FortiToken two-factor authentication

Technical Tip: Email Two-Factor Authentication on FortiGate

 

  1. Ensure, that admin users have no access to the SSL-VPN portal.It is recommended to differentiate user accounts that are allowed to access VPN solutions and administrative accounts that are only allowed to access the administrative interfaces. 
  2. Change the listening Port for the SSL-VPN portal. Using another port is an easy but effective measurement if an attacker is only probing the default port of an application.Do not forget to change the port on all VPN clients too. Otherwise, the connection will break.

 

Related document:

Configuring the SSL VPN tunnel

 

  1. Limit the count of failed login attempts until the user is banned.There is a KB article regarding the implementation of a login limit for SSL-VPN: Technical Tip: How to limit SSL VPN login attempts and block duration
  2.  Restrict the source IP address area. If users only need access to the SSL-VPN portal from a specific source address or range, it is possible to limit the allowed source addresses to those addresses nd  also restrict users based on country or geography addresses.
  3. Disable WebModeIf there is no use for the web portal, it is recommended to disable the portal to reduce the number of attempts observed. To look at the source of the attacks (Web Mode), navigate to the following:
  • Log & Report --> System Events --> VPN Events.
  • Filter by action="ssl-login-fail" tunneltype="ssl-web" .

 

There is a KB article that explains everything (note the last part too):

Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addr...

Technical Tip: Restricting/Allowing access to the FortiGate SSL-VPN from specific countries or IP ad...