Hello all.
Our VPN is getting hammered with spoofed IP addresses and a brute force attack using some of our old (and a few current) company user names. This is causing account lockouts for several users. Our third party guys have put in some IP address blocks, but it's partially effective due to the spoofed IPs/user account combinations, which cause valid users to be blocked intermittently.
We have geo blocking turned on and limited to countries we need to be able to access, but some of the spoofed IPs are within those parameters.
There hopefully is a solution here at Fortinet somewhere, but throwing this out there in case one of you guys have seen this type of attack and found a good solution to shut it down. We can't keep adding IP address blocks forever.
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @james_hull,
I understand your concern, instead of adding malicious IPs manually, you can make this process dynamic. Please refer to this article which will certainly block the ip address if there is an invalid user connection attempt being made.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-lo....
Hello,
you can try also blocking using ISDB to block services which are not expected to connect to you from like: Malicious-Malicious.Server, Hosting-Bulletproof.Hosting, Tor-Exit.Node, VPN-Anonymous.VPN
Next groups to block are different hosting providers like: Akamai-Linode.Cloud, Hetzner-Hetzner.Hosting.Service, OVHcloud-OVHcloud, ColoCrossing-ColoCrossing.Hosting.Service, Microsoft-Azure, DigitalOcean-DigitalOcean.Platform, Alibaba-Alibaba.Cloud, Google-Google.Cloud
When you are blocking IPs first lookup in ISDB if it's not members of another categories you can block also.
It will not stop connections but block lot of them.
Or if it's such big problem switch to IPSEC VPN and disable SSLVPN like it's suggested in latest Forti products versions.
Thanks to both of you for the suggestions.
As an update--we have set up dynamic add of malicious IP addresses, and this works, but were just looking for a more permanent solution as the IP blocks eventually fill up on the FG and a new one has to be created. The issue has dropped off considerably, but I appreciate any and all suggestions. FG isn't my area of expertise, so thanks for your help.
Hello,
The best option in this case is to create an automation to monitor failed attempts and add that to the block list, which you have already implemented.
I would also want to let you know that Fortinet does maintain a Threat Intelligence Feed which is described as follows (https://www.fortiguard.com/premium-services).
However, this is a premium service and wanted to let you know incase if you want to explore more in this direction.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.