Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VladaFBiH
New Contributor II

Publicly posted email addresses keep getting locked by malicious actors

Hi all, I'm wondering if there is a better way to deal with the issue we are facing. 

 

Currently we have around 3500 emails on our exchange which is protected by fortimail and fortiweb-400D. About 50% of our users use the webmail to login to their emails. One of the protections we have in place is locking an account that enters a wrong password more than 7 times. The issue we have is that a lot of our emails are posted publicly and malicious actors are locking 1000's of accounts at a time by trying to access them with wrong passwords. We've managed to identify that the issue is coming externally through the webmail app. 

 

Is there a best practice to deal with this type of issue? We've turned on IP blocking but it doesn't seem to have done much to stem the tide of blocked accounts. We're thinking of turning off account blocking and turning on captcha checks but I'm worried we'll cause more problems than solutions.

2 REPLIES 2
gfleming
Staff
Staff

You could set up an IPS rule on the FortiGate to quarantine brute force attackers.

There are probably other things you can do to. But that's what I would start with...

Cheers,
Graham
msmrox
New Contributor

The best solution would be to bring in Forti Authenticator with Forti tokens and implement 2FA solution for OWA. Since FAC agent for OWA verifies the OTP first, there is no possibility of brute forcing the PW. 

 

You are in the correct path, as someone suggested use the upstream firewall IPS capabilities to limit the requests and then use FortiWEB REB and captcha enforcement to rate limit the requests, use the IP reputation, make use of custom policies to limit the user agents etc. use Geo Blocking in the upstream firewall & FortiWEB. 

 

If budget permits and technically feasible I would also consider ZTNA. I am not much fluent with FortiMail so I am not sure what can be done there. However for this solution I would stand with implementing 2FA with FAC and token.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors