Hello everybody,
I've a problem in my network with my FortiGate.
I've a simple SSL-VPN (web mode is disabled) whose access is restricted to italian and albanian addresses:
The problem is that there are many connection attempts, and each of these attempts has a different IP address:
date=2024-09-27 time=12:27:33 id=7419267613974331394 itime="2024-09-27 12:27:34" euid=5123 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="abl0000" remip=87.4.68.245 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727432853997409279 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:27:33" itime_t=1727432854 devname="ntd-fg"
date=2024-09-27 time=12:16:21 id=7419264723461341184 itime="2024-09-27 12:16:21" euid=4699 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="empty" remip=79.55.254.104 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727432181240072200 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:16:21" itime_t=1727432181 devname="ntd-fg"
date=2024-09-27 time=12:12:23 id=7419263701259124737 itime="2024-09-27 12:12:23" euid=5122 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="en_nabba" remip=95.251.127.145 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727431943656373820 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:12:23" itime_t=1727431943 devname="ntd-fg"
date=2024-09-27 time=12:05:59 id=7419262051991683075 itime="2024-09-27 12:05:59" euid=5121 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="dispo2" remip=185.168.97.3 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727431559335347359 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:05:59" itime_t=1727431559 devname="ntd-fg"
date=2024-09-27 time=10:29:36 id=7419237214195810305 itime="2024-09-27 10:29:36" euid=5120 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="abrechnung" remip=188.12.223.155 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727425776595975939 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 10:29:36" itime_t=1727425776 devname="ntd-fg"
I suppose these are brute force attacks, so I think that they will never succed. But what can you do in this kind of situations? The IP BAN is not a solution, because as you can see, each time the attacker uses a different IP address.
What's the solution?
Thank you so much!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If your users are well educated to use good non-trivial passwords and use 2FA, then blind brute-force attempts are just noise in logs that's extremely unlikely to succeed.
For additional hardening you can add client-certificate requirements to authentication, move SSL-VPN to an unusual port, start blocking bigger IP blocks (/24? bigger? be careful with this), or consider moving off SSL-VPN to IPsec, which is a much less juicier target than the HTTPS-based SSL-VPN login.
If your users are well educated to use good non-trivial passwords and use 2FA, then blind brute-force attempts are just noise in logs that's extremely unlikely to succeed.
For additional hardening you can add client-certificate requirements to authentication, move SSL-VPN to an unusual port, start blocking bigger IP blocks (/24? bigger? be careful with this), or consider moving off SSL-VPN to IPsec, which is a much less juicier target than the HTTPS-based SSL-VPN login.
Hi, you can block the countries you are not interested to not have access over the ssl vpn port,
or you can also block the users IP trying to do the login attempt and failing automatically
Hi you can also setup local in policy to block traffic from certain region which you do not want to allow access.
Refer:-
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy
Hello @raffaeledp
You can refer to best practice guide for SSL VPN.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SSL-VPN-best-practices-guide/ta-...
salmas
Hi @raffaeledp
When you configure 'Limit access to specific hosts' it will still generate logs for the VPN attempts for the blocked countries. The attacker will not be allowed access if they are from blocked country even if they enter the correct username and password.
If you would like to not see the logs, you can setup local in policy:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/363127
Having MFA would provide a good security against such attacks.
Here are some other hardening suggestions for SSL VPN:
Regards,
Varun
Hello RDP,
Thank you for reaching out fortinet support.
From the logs it looks like unknown users are trying to access your VPN Service.
In order to secure your network please refer the below articles:
text=Method%202:%20Create%20a%20Deny,in%20the%20Source%20Address%20field
Regards,
Piyush
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.