Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ricky76
New Contributor

Created on ‎09-07-2016 12:13 AM

Large traffic by a frauded account email - IPS how to use

Hi, I'm facing the following issue. On our fortigate 110C I'm observing a lot of traffic originated from an email account. This email account was frauded and someone is trying to register it with wrong password on our servers in the locale network generating a lot of traffic.

Unfortunately we can't block this account because is in use every day by our customer. So I tried to use the IPS sensor in default mode but no mails are delivered. How can I configure the IPS sensor in order to block the malicious traffic and permit the right traffic? Could you please give some advice? In this situation we have the firewall CPU at 100%

 

Thanks.

Ricky

8005
0 Kudos
10 REPLIES 10
ede_pfau
Esteemed Contributor III

Created on ‎09-07-2016 04:10 AM

I don't quite understand the situation from your post:

- the traffic is from where to where - internal to internal?

- which kind of traffic - SMTP, IMAP,...?

- why did you think that an IPS sensor with "default" settings would block this specific traffic? Why IPS in the first place?

 

Lots of questions. If you could be more specific we can try to help you here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3352
0 Kudos
ricky76
New Contributor

Created on ‎09-08-2016 01:33 AM

Hi ede_pfau,

the traffic is from wan to internal LAN.

 

This email-account is in use by our customer and I can't use an email-filter otherwise no more mail are sent or received.

We already changed a lot of time the email password with no luck. We cancelled the account email on the client PC but traffic does't stop anyway.

 

So I supposed that maybe IPS sensor can help in this scenario, am I wrong?

If not how can I limit or stop this traffic?

Often the firewall's CPU goes at 100% and I forced to klill the netscan process to regain the normal behaviour.

 

Thanks.

Ricky

3352
0 Kudos
ede_pfau
Esteemed Contributor III
In response to ricky76

Created on ‎09-08-2016 06:43 AM

OK, first reduce all UTM features in use on that policy to guarantee stable operation of your firewall. Not blocking / scanning connection attempts should not bring your FGT down, or else it's way too small.

 

Second, you can use a 'rate limit' IPS filter to specifically block connections with too many connection attempts per time interval. The 'how-to' depends on the firmware version you're using. From v5.2 on, rate limit IPS sensors can be defined in the WebGUI; on older versions, in the CLI.

Either there is already a signature for SMTP login, or IMAP login (you didn't answer which kind of traffic you want to block), or you'll write one yourself. The main point is that the sensor checks the server's answer - in case of password mismatch it'll be some text string like 'login error' or such. That depends on the protocol used, but it's well defined and you should be able to google for it.

 

You can find examples of rate limit IPS signatures in the forums, even by me. Keyword is 'rate limit' or 'custom IPS signature'. Then adapt the values in the sensor to your situation.

 

When the sensor triggers (for example, after 3 unsuccessful login attempts) the FGT can block any further connection attempts from this source IP address for a period of time (minutes, hours,...). That should bring your traffic load down a lot.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3352
0 Kudos
ricky76
New Contributor
In response to ede_pfau

Created on ‎09-08-2016 07:33 AM

Hi Ed,

I think it's a good solution and I'm going to try.

My firmware version is v5.0,build0252 (GA Patch 5) and the only way is to proceed by CLI command.

I'm searching in the forum for an example...

3352
0 Kudos
ricky76
New Contributor
In response to ricky76

Created on ‎09-08-2016 09:01 AM

Hi Ede,

could you please give me a direct link or an example for this?

I can't find it...

 

Thanks

3352
0 Kudos
ede_pfau
Esteemed Contributor III
In response to ricky76

Created on ‎09-09-2016 01:47 AM

Oh c'mon...took me 5 seconds.

https://forum.fortinet.com/tm.aspx?m=123966

complete with a ready-to-use custom signature to protect from SMTP logins. Thanks to Ken Felix / emnoc. Read his blog, often.

 

You haven't commented yet on which kind of traffic you want to act on - SMTP, IMAP? If you don't know that this custom signature won't help much.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3352
0 Kudos
ricky76
New Contributor
In response to ede_pfau

Created on ‎09-09-2016 05:27 AM

Hi Ede,

thanks a lot, the traffic I wan to block is SMTP, IMAP (and now I noticed also Telnet and POP3...)

 

Ricky

3352
0 Kudos
ede_pfau
Esteemed Contributor III
In response to ricky76

Created on ‎09-09-2016 06:20 AM

You can restrict the sensor to the actual services you offer. If your server offers all of the mentioned services, you'll have to modify the custom sensor a bit:

config ips custom
    edit "SMTP_AUTH"
        set signature "F-SBID(

->           --attack_id 1001; --revision 1; --name \"SMTP_AUTH_FAILURE\";
->           --service SMTP;

          --protocol tcp; --tcp_flags PA;
          --pattern \"535 5.7.8 Authentication credentials invalid\";
          --flow from_server,reversed; --track dst_ip; --rate 2,90;)"
  set comment "2 failed SMTP authentication attempts within 90 seconds"
    next
end

For multiple versions, you have to modify the 'attack_id' (must be unique) and the 'name'. I personally never used the 'revision' parameter. The 'service' param determines the TCP port to observe and needs to match the SMTP, IMAP, POP3 and telnet well known ports.

 

Notice that I have changed small details of the original definition. The lines to changes are marked.

If your server varies the reply string for each service, you'll have to adjust that as well.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3352
0 Kudos
ricky76
New Contributor
In response to ede_pfau

Created on ‎09-09-2016 08:54 AM

Hi Ed,

I created the following signature :

 

config ips custom     edit "SMTP_AUTH01"         set signature "F-SBID( --attack_id 1000;--name \"SMTP_AUTH_FAILURE_Riza\";--service SMTP; --protocol tcp; --tcp_flags PA;--pattern \"535 5.7.8 Authentication credentials invalid\";--flow from_server,reversed; --track dst_ip; --rate 2,90,limit;)"         set comment "2 failed SMTP authentication attempts within 90 seconds"     next     edit "IMAP_AUTH01"         set signature "F-SBID( --attack_id 1001;--name \"IMAP_AUTH_FAILURE_Riza\";--service IMAP; --protocol tcp; --tcp_flags PA;--pattern \"535 5.7.8 Authentication credentials invalid\";--flow from_server,reversed; --track dst_ip; --rate 2,90,limit;)"         set comment "2 failed SMTP authentication attempts within 90 seconds"     next

end

Then I created an IPS custom sensor and applied to the policy from wan to lan.

On the Intrusion protection log I can't see traffic.

What am I wrong?

 

Thanks.

Ricky

3352
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.