Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mehdi_ouazaa
New Contributor II

Created on ‎07-26-2018 12:55 AM

Multiple ssh auth with different username

Hi all,

 

On systems events I discovered that there is a lot of ssh auth failed attempts with different usernames and from different ips from all over the world. for me it smells like some one/script is trying to access my fortgate.

 

Could you please advice on better actions to take

4909
0 Kudos
1 Solution
emnoc
Esteemed Contributor III
In response to xsilver_FTNT

Created on ‎07-26-2018 05:08 AM

you have a few items to lookat

 

ssh-pub-key ( just build a strong password  but enforce the ssh pub key )

http://socpuppet.blogspot...ess-login-fortios.html

 

GEOIP block the  external interface ( e.g I use a local-in policy and block any thing outside of the USA )

https://forum.fortinet.com/tm.aspx?m=136899

 

change the SSH ports

http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

 

disable  ssh on the wan and force your admins to  sshin and then use  allowaccess ssh in the ssl.root interface

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

 

Or use a MFA access for any admins, this would be the best along with the aboves.

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2738
0 Kudos
6 REPLIES 6
mhe
Contributor II

Created on ‎07-26-2018 01:08 AM

Why don't you disable SSH on the external interface??

2709
0 Kudos
xsilver_FTNT
Staff
Staff

Created on ‎07-26-2018 01:36 AM

If it's not super critical then disable SSH from outside as mhe mentioned.

If not possible then change default port to some other less obvious/predictable.

You can also utilize trusted hosts so SSH will not respond to anyone outside allowed ranges/IPs.

 

And obviously, have strong passwords for admins.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2709
0 Kudos
emnoc
Esteemed Contributor III
In response to xsilver_FTNT

Created on ‎07-26-2018 05:08 AM

you have a few items to lookat

 

ssh-pub-key ( just build a strong password  but enforce the ssh pub key )

http://socpuppet.blogspot...ess-login-fortios.html

 

GEOIP block the  external interface ( e.g I use a local-in policy and block any thing outside of the USA )

https://forum.fortinet.com/tm.aspx?m=136899

 

change the SSH ports

http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

 

disable  ssh on the wan and force your admins to  sshin and then use  allowaccess ssh in the ssl.root interface

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

 

Or use a MFA access for any admins, this would be the best along with the aboves.

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2739
0 Kudos
mehdi_ouazaa
New Contributor II
In response to emnoc

Created on ‎07-27-2018 04:40 AM

Thank you guys,

 

I will think to all of this and tell you what I've done

2709
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to mehdi_ouazaa

Created on ‎07-27-2018 09:42 AM

One last thing in addition to above: use trusthosts to limit the access to certain trusted ranges of IPs.

2709
0 Kudos
emnoc
Esteemed Contributor III
In response to Toshi_Esumi

Created on ‎07-27-2018 10:45 AM

Keep in mind the trusthost will not change the port22 being exposed to the internet.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2709
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.