Hi all,
On systems events I discovered that there is a lot of ssh auth failed attempts with different usernames and from different ips from all over the world. for me it smells like some one/script is trying to access my fortgate.
Could you please advice on better actions to take
Solved! Go to Solution.
you have a few items to lookat
ssh-pub-key ( just build a strong password but enforce the ssh pub key )
http://socpuppet.blogspot...ess-login-fortios.html
GEOIP block the external interface ( e.g I use a local-in policy and block any thing outside of the USA )
https://forum.fortinet.com/tm.aspx?m=136899
change the SSH ports
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
disable ssh on the wan and force your admins to sshin and then use allowaccess ssh in the ssl.root interface
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
Or use a MFA access for any admins, this would be the best along with the aboves.
Ken
PCNSE
NSE
StrongSwan
Why don't you disable SSH on the external interface??
If it's not super critical then disable SSH from outside as mhe mentioned.
If not possible then change default port to some other less obvious/predictable.
You can also utilize trusted hosts so SSH will not respond to anyone outside allowed ranges/IPs.
And obviously, have strong passwords for admins.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
you have a few items to lookat
ssh-pub-key ( just build a strong password but enforce the ssh pub key )
http://socpuppet.blogspot...ess-login-fortios.html
GEOIP block the external interface ( e.g I use a local-in policy and block any thing outside of the USA )
https://forum.fortinet.com/tm.aspx?m=136899
change the SSH ports
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
disable ssh on the wan and force your admins to sshin and then use allowaccess ssh in the ssl.root interface
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
Or use a MFA access for any admins, this would be the best along with the aboves.
Ken
PCNSE
NSE
StrongSwan
Thank you guys,
I will think to all of this and tell you what I've done
One last thing in addition to above: use trusthosts to limit the access to certain trusted ranges of IPs.
Keep in mind the trusthost will not change the port22 being exposed to the internet.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.