- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple ssh auth with different username
Hi all,
On systems events I discovered that there is a lot of ssh auth failed attempts with different usernames and from different ips from all over the world. for me it smells like some one/script is trying to access my fortgate.
Could you please advice on better actions to take
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have a few items to lookat
ssh-pub-key ( just build a strong password but enforce the ssh pub key )
http://socpuppet.blogspot...ess-login-fortios.html
GEOIP block the external interface ( e.g I use a local-in policy and block any thing outside of the USA )
https://forum.fortinet.com/tm.aspx?m=136899
change the SSH ports
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
disable ssh on the wan and force your admins to sshin and then use allowaccess ssh in the ssl.root interface
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
Or use a MFA access for any admins, this would be the best along with the aboves.
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don't you disable SSH on the external interface??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it's not super critical then disable SSH from outside as mhe mentioned.
If not possible then change default port to some other less obvious/predictable.
You can also utilize trusted hosts so SSH will not respond to anyone outside allowed ranges/IPs.
And obviously, have strong passwords for admins.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have a few items to lookat
ssh-pub-key ( just build a strong password but enforce the ssh pub key )
http://socpuppet.blogspot...ess-login-fortios.html
GEOIP block the external interface ( e.g I use a local-in policy and block any thing outside of the USA )
https://forum.fortinet.com/tm.aspx?m=136899
change the SSH ports
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
disable ssh on the wan and force your admins to sshin and then use allowaccess ssh in the ssl.root interface
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
Or use a MFA access for any admins, this would be the best along with the aboves.
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you guys,
I will think to all of this and tell you what I've done
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last thing in addition to above: use trusthosts to limit the access to certain trusted ranges of IPs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind the trusthost will not change the port22 being exposed to the internet.
PCNSE
NSE
StrongSwan
