Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andreotta
New Contributor

Limit web interface and SSH

Hello People. I´m new here, and I have a doubt about Fortigate 60B. My problem is: I have a lot of attack attemps using SSH and HTTPS interface via WAN interface. I can use local-in policies to limit the external access to a valid ip ? Example: Only internal network and 200.184.42.99 can access the HTTPS and SSH interfaces ? Thanks for attention. Bye André Otta
6 REPLIES 6
FortiRack_Eric
New Contributor III

you can, but also an easy way to do it, is to limit the IP access for the administrators

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
andreotta

Hello, Thanks for help. IP Access you refer is the internal ? I can solve this using external ? I have dynamic external IPs too. So I think the better way is block all and allow only originate this IPs. It´s possible ? Regards, André Otta
andreotta

Hi. You tell about an administrators tab, Trusted Hosts ? I can set the external IPs there ?
emnoc
Esteemed Contributor III

fwiw For ssh I found that if you get off port 22, then 99.99% of the brute-force and failed logins go away. That will cover all of the script kiddies and other up to no good people. The following cli command under global settings is how I would managed my ssh port set admin-ssh-port xxxx

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
andreotta

Emnoc, This not solve my problem. :( Nmap bypass this. The best way is: only these IPs can access SSH and HTTPS. :) Regards André Otta
Eric_Mai_FTNT

Since you are using Fortigate 60B. I am assume you are using version 4. 1. Create a firewall address that you want to get access from 2. Create a firewall address you wan to get access to. For example in cli config firewall address edit " IP access From" set associated-interface " Internet" set subnet IP/subnet edit " IP access To" set associated-interface " interface" set subnet IP/subnet 3. Create policy a police allow interface (internet) to you admin interface. config firewall policy edit 4 set srcintf " Internet" set dstintf " internal interface" set srcaddr " IP access From " set dstaddr " IP access To " set action accept set schedule " always" set service " HTTPS" " SSH" next 4. all admin access for https and ssh on your internal interface. 5. you should able to access http and ssh using you interanl interace. Disable the public IP admin access (internet )
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors