| Description | This article describes how to prevent malicious actors from using brute-force attacks on the FortiGate to access SSL-VPN. |
| Scope | FortiGate. |
| Solution |
The utilization of the TOR network by attackers offers an elevated level of anonymity, which frequently drives them to heavily rely on brute-force attacks from within this network. It is important to note that this method can be effectively applied when the SSL-VPN is exclusively set up to listen on the Loopback interface.
Neither the VPN Settings nor the Local-in Policy currently support the inclusion of ISDB addresses. By employing ISDB objects for Tor Exit Nodes, Relays, and VPN Anonymizers, these elements can be integrated into a firewall policy placed above the SSL-VPN rule to effectively deter attackers.
First, create a loopback interface with a dummy IP address which will not be reachable:
Next, create a service for a TCP port which will be used to listen for SSL-VPN connections:
Create a VIP to forward the traffic from WAN to the loopback interface as follows:
Configure SSL-VPN to listen on the loopback interface and port 14144 as follows:
Configure firewall policies to block the traffic coming from TOR IPs but to allow access to valid users as follows:
There will not be an option to add the VIP as a destination in the firewall policy with ISDB as a source. (In this case: Policy ID:8, 'Block TOR'.)
Optionally, enable the 'match-vip' option using the CLI as follows:
config firewall policy edit "8" set match-vip enable end
|
