Hi,
We run a network of about 100 fortigates, last night we had an attempted SSH logon from 62.75.162.91 on about half of them. These all occured on 11/12 at exactly 6:14pm CT. We are trying to determine if we were targeted (but I have no idea how someone would get a hold of our IPs since there are no publicly accessible servers behind them) or if any other Fortigate sys admins noticed the same thing?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
My terse response below
lock down ssh access if required
better yet , define a ssh port other 22 ( I use 2022 or 2222 )
e.g http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
block cbc base ciphers if you can
use MFA for admin access & if you can't lock it down and must allow ssh open
delete any references to "admin" and create system accounts that has NO admin in the name or root
or force user to use ipsec/sslvpn into the appliance and then ssh once secured thru that tunnel to maybe a local-loopback
e.g here's one approach YMMV
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
Now go drink a wheat beer and don't worry about it ;)
Seriously, brute-force attacks or ssh-login is nothing new. And as long as you have tcp.port22 open to the world, you will always seen failed logins. Why all your devices at at the same time, tells me it a admin of your network or somebody that was testing something and knows your addresses.
PCNSE
NSE
StrongSwan
Can you copy paste the syslog message?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.