Hello everybody,
I've a problem in my network with my FortiGate.
I've a simple SSL-VPN (web mode is disabled) whose access is restricted to italian and albanian addresses:
The problem is that there are many connection attempts, and each of these attempts has a different IP address:
date=2024-09-27 time=12:27:33 id=7419267613974331394 itime="2024-09-27 12:27:34" euid=5123 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="abl0000" remip=87.4.68.245 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727432853997409279 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:27:33" itime_t=1727432854 devname="ntd-fg"
date=2024-09-27 time=12:16:21 id=7419264723461341184 itime="2024-09-27 12:16:21" euid=4699 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="empty" remip=79.55.254.104 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727432181240072200 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:16:21" itime_t=1727432181 devname="ntd-fg"
date=2024-09-27 time=12:12:23 id=7419263701259124737 itime="2024-09-27 12:12:23" euid=5122 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="en_nabba" remip=95.251.127.145 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727431943656373820 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:12:23" itime_t=1727431943 devname="ntd-fg"
date=2024-09-27 time=12:05:59 id=7419262051991683075 itime="2024-09-27 12:05:59" euid=5121 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="dispo2" remip=185.168.97.3 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727431559335347359 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 12:05:59" itime_t=1727431559 devname="ntd-fg"
date=2024-09-27 time=10:29:36 id=7419237214195810305 itime="2024-09-27 10:29:36" euid=5120 epid=3 dsteuid=3 dstepid=3 logver=702101706 logid=0101039426 type="event" subtype="vpn" level="alert" action="ssl-login-fail" msg="SSL user failed to logged in" logdesc="SSL VPN login fail" user="abrechnung" remip=188.12.223.155 group="N/A" tunnelid=0 tunneltype="ssl-web" dst_host="N/A" reason="sslvpn_login_unknown_user" eventtime=1727425776595975939 tz="+0200" devid="FGT60FTK23099PH2" vd="root" dtime="2024-09-27 10:29:36" itime_t=1727425776 devname="ntd-fg"
I suppose these are brute force attacks, so I think that they will never succed. But what can you do in this kind of situations? The IP BAN is not a solution, because as you can see, each time the attacker uses a different IP address.
What's the solution?
Thank you so much!
1 Solution
