Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanieleS99
New Contributor III

Block brute force SFTP on a specific port

Hi,

I'm trying to figure out what could be the best solution to block access attempts to our SFTP server on a specific port (type 2222). The Dos policy seems to me a valid option, except that it presents some problems: putting a high enough threshold does not mean that all attacks are correctly intercepted.
Conversely, putting a threshold too low can lead to false negatives.
Could it be a solution to create a custom signature? In case I should somehow decrypt the traffic or am I wrong? How could this be done in your opinion?

Thank you very much

1 Solution
DanieleS99
New Contributor III

I try the SSH.connection.brute.force and luckily it works even without decrypting the traffic. I also found a way to modify the thresholds.

 

Thanks

View solution in original post

3 REPLIES 3
metz_FTNT
Staff
Staff

Hello,

 

You can try with the build-in signature for FTP brute force:

https://fortiguard.fortinet.com/encyclopedia/ips/22909

 

IPS engine marks traffic based on packet content instead of port mapping, unless a specific port is specified in the signature (it is not in this one) therefore if traffic is ftp it should match regardless of the port number.

 

Now since you ask for FTPS, you will have to configure your ssl inspection profile accordingly and since it will be in "protect server mode" if you are protecting a server, you can only do this part in CLI, for example:

 

config firewall ssl-ssh-profile
   edit "test"
       config ftps
           set ports 2222
           set status deep-inspection
       end
       set server-cert-mode replace
       set server-cert "test_cert"
   next
end

 

 

 

 

 

DanieleS99
New Contributor III

Thanks for the reply,

being sftp traffic could the SSH.connection.brute.force signature also fit? Also, is it possible to change the default signature thresholds?

Thanks again

DanieleS99
New Contributor III

I try the SSH.connection.brute.force and luckily it works even without decrypting the traffic. I also found a way to modify the thresholds.

 

Thanks