Hi,
I'm trying to figure out what could be the best solution to block access attempts to our SFTP server on a specific port (type 2222). The Dos policy seems to me a valid option, except that it presents some problems: putting a high enough threshold does not mean that all attacks are correctly intercepted.
Conversely, putting a threshold too low can lead to false negatives.
Could it be a solution to create a custom signature? In case I should somehow decrypt the traffic or am I wrong? How could this be done in your opinion?
Thank you very much
Solved! Go to Solution.
I try the SSH.connection.brute.force and luckily it works even without decrypting the traffic. I also found a way to modify the thresholds.
Thanks
Hello,
You can try with the build-in signature for FTP brute force:
https://fortiguard.fortinet.com/encyclopedia/ips/22909
IPS engine marks traffic based on packet content instead of port mapping, unless a specific port is specified in the signature (it is not in this one) therefore if traffic is ftp it should match regardless of the port number.
Now since you ask for FTPS, you will have to configure your ssl inspection profile accordingly and since it will be in "protect server mode" if you are protecting a server, you can only do this part in CLI, for example:
config firewall ssl-ssh-profile
edit "test"
config ftps
set ports 2222
set status deep-inspection
end
set server-cert-mode replace
set server-cert "test_cert"
next
end
Thanks for the reply,
being sftp traffic could the SSH.connection.brute.force signature also fit? Also, is it possible to change the default signature thresholds?
Thanks again
I try the SSH.connection.brute.force and luckily it works even without decrypting the traffic. I also found a way to modify the thresholds.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1757 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.