Hi, I'm facing the following issue. On our fortigate 110C I'm observing a lot of traffic originated from an email account. This email account was frauded and someone is trying to register it with wrong password on our servers in the locale network generating a lot of traffic.
Unfortunately we can't block this account because is in use every day by our customer. So I tried to use the IPS sensor in default mode but no mails are delivered. How can I configure the IPS sensor in order to block the malicious traffic and permit the right traffic? Could you please give some advice? In this situation we have the firewall CPU at 100%
Thanks.
Ricky
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't quite understand the situation from your post:
- the traffic is from where to where - internal to internal?
- which kind of traffic - SMTP, IMAP,...?
- why did you think that an IPS sensor with "default" settings would block this specific traffic? Why IPS in the first place?
Lots of questions. If you could be more specific we can try to help you here.
Hi ede_pfau,
the traffic is from wan to internal LAN.
This email-account is in use by our customer and I can't use an email-filter otherwise no more mail are sent or received.
We already changed a lot of time the email password with no luck. We cancelled the account email on the client PC but traffic does't stop anyway.
So I supposed that maybe IPS sensor can help in this scenario, am I wrong?
If not how can I limit or stop this traffic?
Often the firewall's CPU goes at 100% and I forced to klill the netscan process to regain the normal behaviour.
Thanks.
Ricky
OK, first reduce all UTM features in use on that policy to guarantee stable operation of your firewall. Not blocking / scanning connection attempts should not bring your FGT down, or else it's way too small.
Second, you can use a 'rate limit' IPS filter to specifically block connections with too many connection attempts per time interval. The 'how-to' depends on the firmware version you're using. From v5.2 on, rate limit IPS sensors can be defined in the WebGUI; on older versions, in the CLI.
Either there is already a signature for SMTP login, or IMAP login (you didn't answer which kind of traffic you want to block), or you'll write one yourself. The main point is that the sensor checks the server's answer - in case of password mismatch it'll be some text string like 'login error' or such. That depends on the protocol used, but it's well defined and you should be able to google for it.
You can find examples of rate limit IPS signatures in the forums, even by me. Keyword is 'rate limit' or 'custom IPS signature'. Then adapt the values in the sensor to your situation.
When the sensor triggers (for example, after 3 unsuccessful login attempts) the FGT can block any further connection attempts from this source IP address for a period of time (minutes, hours,...). That should bring your traffic load down a lot.
Hi Ed,
I think it's a good solution and I'm going to try.
My firmware version is v5.0,build0252 (GA Patch 5) and the only way is to proceed by CLI command.
I'm searching in the forum for an example...
Hi Ede,
could you please give me a direct link or an example for this?
I can't find it...
Thanks
Oh c'mon...took me 5 seconds.
https://forum.fortinet.com/tm.aspx?m=123966
complete with a ready-to-use custom signature to protect from SMTP logins. Thanks to Ken Felix / emnoc. Read his blog, often.
You haven't commented yet on which kind of traffic you want to act on - SMTP, IMAP? If you don't know that this custom signature won't help much.
Hi Ede,
thanks a lot, the traffic I wan to block is SMTP, IMAP (and now I noticed also Telnet and POP3...)
Ricky
You can restrict the sensor to the actual services you offer. If your server offers all of the mentioned services, you'll have to modify the custom sensor a bit:
config ips custom
edit "SMTP_AUTH"
set signature "F-SBID(
-> --attack_id 1001; --revision 1; --name \"SMTP_AUTH_FAILURE\";
-> --service SMTP;
--protocol tcp; --tcp_flags PA;
--pattern \"535 5.7.8 Authentication credentials invalid\";
--flow from_server,reversed; --track dst_ip; --rate 2,90;)"
set comment "2 failed SMTP authentication attempts within 90 seconds"
next
end
For multiple versions, you have to modify the 'attack_id' (must be unique) and the 'name'. I personally never used the 'revision' parameter. The 'service' param determines the TCP port to observe and needs to match the SMTP, IMAP, POP3 and telnet well known ports.
Notice that I have changed small details of the original definition. The lines to changes are marked.
If your server varies the reply string for each service, you'll have to adjust that as well.
Hi Ed,
I created the following signature :
config ips custom edit "SMTP_AUTH01" set signature "F-SBID( --attack_id 1000;--name \"SMTP_AUTH_FAILURE_Riza\";--service SMTP; --protocol tcp; --tcp_flags PA;--pattern \"535 5.7.8 Authentication credentials invalid\";--flow from_server,reversed; --track dst_ip; --rate 2,90,limit;)" set comment "2 failed SMTP authentication attempts within 90 seconds" next edit "IMAP_AUTH01" set signature "F-SBID( --attack_id 1001;--name \"IMAP_AUTH_FAILURE_Riza\";--service IMAP; --protocol tcp; --tcp_flags PA;--pattern \"535 5.7.8 Authentication credentials invalid\";--flow from_server,reversed; --track dst_ip; --rate 2,90,limit;)" set comment "2 failed SMTP authentication attempts within 90 seconds" next
end
Then I created an IPS custom sensor and applied to the policy from wan to lan.
On the Intrusion protection log I can't see traffic.
What am I wrong?
Thanks.
Ricky
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.