Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ATC
New Contributor

Invalid Logons last night from 62.75.162.91

Hi,

 

We run a network of about 100 fortigates, last night we had an attempted SSH logon from 62.75.162.91 on about half of them. These all occured on 11/12 at exactly 6:14pm CT. We are trying to determine if we were targeted (but I have no idea how someone would get a hold of our IPs since there are no publicly accessible servers behind them) or if any other Fortigate sys admins noticed the same thing?

2 REPLIES 2
emnoc
Esteemed Contributor III

My terse  response below

 

lock down ssh access if required

better yet , define a ssh port other  22 ( I use 2022 or 2222 )

e.g http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

block cbc base ciphers if you can

use  MFA for admin access &  if you can't lock it down and must allow ssh open

delete any references to "admin"  and create  system accounts that has NO admin in the name or root

or force  user to use ipsec/sslvpn into the  appliance  and then ssh once secured thru that tunnel to maybe a local-loopback

 

e.g here's one approach YMMV

 

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

 

 

Now go drink a  wheat beer and don't worry about it ;)

 

 

Seriously,  brute-force attacks or  ssh-login is nothing new. And as long as you have tcp.port22 open to the world, you will always seen failed logins. Why all your  devices at at the same time, tells me it a admin of your network or somebody that was testing something and knows your addresses.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
packetpusher
Contributor

Can you copy paste the syslog message?

Labels
Top Kudoed Authors