Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Randy_Redekopp
New Contributor II

Automatically block IP

Each day, I see numerous (as in 1000' s) of invalid login attempts on my network through our RemotApp web interface. I see this in the security log of the target machine. There are usually a dozen or so IP addresses that these come from each day. I have been noting the IP that the requests are coming from and then I add to policy rule which blocks incoming and outgoing traffic to that IP. This works but requires manual review, and only occurs after the attempts have been running for a while (I have an alert set up on the event log for when an account is locked out from too many invalid login attempts). I know this is not a good way to do this but don' t know how to do it any other way. Any suggestions for how to automate this on my FortiGate or other approaches that I should be considering? Thanks.
-Randy-
-Randy-
1 REPLY 1
ede_pfau
SuperUser
SuperUser

Hi, you can try to install a DoS sensor to stop this. It should trigger on the SYN flag (when starting a new session), filtered by port, when the rate of login attempts exceeds a given limit. Like 10 logins per minute, per source IP address. Additionally, consider this: a DoS signature only blocks a running attack. A triggered IPS signature can additionally quarantine the source IP for a certain period of time. IPS consumes more ressources than DoS policy but in your case it would trigger instantly, and then block the source IP for say 20 minutes. So you' ll get at most 72 attacks logged per day. Here' s an example blocking/quarantining ssh login attacks: http://support.fortinet.com/forum/tm.asp?m=81338&p=1&tmode=1&smode=1 showing the rate signature in detailed screenshots.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors