Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
moreira00
New Contributor

Block IP to Black List after SSH Failed Login Attempts

Good afternoon,

 

I'm receiving several attempts to attack my ssh service, I would like to know how I can block by IP to blacklist after 3 wrong attempts.

 

Message meets Alert condition

The following critical firewall event was detected: Admin login failed.

date=2021-07-12 time=22:58:34 devname=XXXXXXXXXXXX devid=XXXXXXXXXXX logid="XXXXXX" type="event" subtype="system" level="alert" vd="root" eventtime=XXXXXXXtz="+0100" logdesc="Admin login failed" sn="0" user="XXXXXXXXXXXX" ui="ssh(XXXXXXX)" method="ssh" action="login" status="failed" srcip=XXXXXXXXX dstip=XXXXXXXXX reason="passwd_invalid" msg="Administrator admin login failed from ssh(XXXXXXXXXX ) because of invalid password" 

 

Someone can help me?

Thks

5 REPLIES 5
emnoc
Esteemed Contributor III

So this is a login to system admin, just define your fail login attempts and set an extreme long lockout.

 

Also if this is a common username like "admin" or "administrator" do NOT use these. You can delete "admin" account from the fortios cfg by creating a new admin with super-user  then logging in with new user and rename "admin" and delete "admin"

 

http://socpuppet.blogspot...ate-admin-account.html

 

And lastly , do not use port 22 for ssh and a untrust service.

 

here's what we do;

 

config sys global

    set admin-login-max 100

    set admin-lockout-duration 2147483647

    set admin-lockout-threshold 10

    set admin-scp enable

    set admin-server-cert "vpn1"

    set admin-ssh-port 2022

end

 

Other actions you can do;

 

Ensure you have trust host sets and use MFA for logins.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi

FYI: at least with 6.2 or later, you can delete the user name "admin" without renaming it.

moreira00

Thank you for your reply

 

I understand your point... but there's any why to do this "block by IP to blacklist after 3 wrong attempts" trying to brute force... any machine in my network???

 

Thank you

Tonyk
New Contributor II

Seems since this last response/question was asked in 2021 and has no replies, the answer would be "Nope"?

I've been getting an ip from the China ISP hitting my firewall with a constantly running script thats been trying to do an SSH login for a few weeks now. 
Its trying to login with a non-existent admin login, but still want to block the login attempt from happening.

There really is no way (short of changing ssh port#)  to prevent the firewall from even bringing up a login prompt to blacklisted IPs or blocks of IPs?
We have Admin accounts restricted to trusted hosts only, but looking to harden further and stop our firewall from being hammered by these constant  login attempts

 

I'm researching setting up the local-in-policy 
It seems this can be set up (via CLI only?) to do what I am looking for?

 

HarshChavda
Staff
Staff

Hello @moreira00 ,

 

You can configure an "anomaly detection" sensor and apply it to the security policy that allows SSH traffic. Within the anomaly sensor, you can define the parameters to consider an SSH brute force attack and take actions like blocking the IP. FortiGate's Intrusion Prevention System (IPS) includes predefined signatures to detect SSH brute-force attacks. Apply the IPS sensor to the security policy controlling your SSH access. Manually add offending IP addresses to an address object and set it to be "blocked" in the appropriate policy. This approach is not dynamic but can be useful for known malicious IP addresses. You can also set up a DoS policy to limit the number of SSH connections per second from an IP address. 

 

For Anamoly Detection,  Configure the sensor to detect SSH brute force attempts. You may set the threshold for the number of attempts and the action to take when the threshold is exceeded. Apply this sensor to the security policy that controls SSH access.  For IPS sensor, Under IPS Sensors, edit the sensor applied to your SSH policy or create a new one. Enable the signatures related to SSH brute-force attacks. Apply the IPS sensor to the security policy that allows SSH access. Create a new DoS policy where the service is set to SSH. Set the Action to Rate Limit and define the maximum allowable rate.

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors