Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Detection of brute force login attempts

Is it possible to get the Fortigate to detect brute-force login attempts? If so, against which services?
2 REPLIES 2
Carl_Wallmark
Valued Contributor

yes, i believe there are a couple of IPS signatures for that, and you can create custom signatures for your needs.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ede_pfau
SuperUser
SuperUser

Hi, and welcome to the forums! If you write an IPS custom signature you can protect almost any service from high connection rates. Basically, the signature detects session inits via the SYN flag. Restrict the sensor to the traffic that you want to protect (ftp, ssh,...) and combine the ' block' action with a quarantine delay of a couple of minutes. Otherwise the attack just goes on. See this KB article: " Technical Note : creating custom IPS signature to detect a pattern rate - example to detect a Brute-force attack" http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32342 and an old thread here http://support.fortinet.com/forum/tm.asp?m=63465 for examples.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors