I have many corporate Fortinet firewalls in play, but finally just went and bought one for myself (a 60e, great for home internet and labs) so am posting with my personal acct - and am seeing the following weird issue.
I have created an address group blocking a number of countries (Russia and China primarily, seeing attempted connectoin attempts from various IP's).
While I do 'allow' SSH on wan1, the administrator super_admin and my acct profile_admin are only allowed from certain IP ranges (my inside subnets and the VPN DHCP range I hand out when I connect to my own network from outside) so that's already fairly locked down.
I am seeing logs denying 'admin' by blocked IP because it falls outside trustedhosts range, but if the bots try any other account (that does NOT exist on the Fortinet) it allows the connection to try passwords and then of course fails because there's no such account.
I have created a deny policy referencing the regions and put wan1/wan1 as the from/to because this isn't hitting a VIP, it's just SSH attempts to wan1.
What I was hoping would happen here is that the policy would deny even the attempted connection from source IP's that match the regions and my address group BEFORE allowing the SSH connection and attempting authentication. I have tested this from another static IP that I added to the group and the hitcount does not increase (show matching logs shows nothing hitting the policy at all)
What's happening here where a bad acct can attempt to log in from a region blocked IP but a known acct filters based on the trustedhosts?
These are slow attempts, maybe a few to up to a dozen a day, so definitely not killing my bandwidth, stressing the firewall, or causing any disruptions, but I would still want to deny ANY connections from those regions.
Looking for advice and guidance here.
Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @FractalSphere,
Do you have trusted hosts configured for all admin accounts? You can use local-in-policy to block incoming connections to the FortiGate. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/363127/local-in-policy
Regards,
While you've restricted SSH access to certain IP ranges for specific accounts, you're still seeing login attempts for non-existent accounts from blocked IPs of Wwe 2k14. You might want to consider implementing additional security measures like rate limiting or intrusion detection to further protect your network.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.