Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
x_member
Contributor

Created on ‎05-20-2015 10:58 AM

'Rate' parameter seems to be ignored? What am I doing wrong?

I'm still feeling my way with FortiOS and have recently successfully implemented a Fortigate 60D running 5.2.3 which replaced an ISA server cluster.

I'm now trying to improve security at the perimeter by implementing a custom IPS signature to detect attempts to break into the mail server and quarantine the offending IP after 2 failed logins within 90 seconds based on Ken Felix's blog post here

 

config ips custom
    edit "SMTP_AUTH01"
        set signature "F-SBID( --attack_id 1000; --revision 1; --name \"SMTP_AUTH_FAILURE01\"; 
          --service SMTP; --protocol tcp; --tcp_flags PA; 
          --pattern \"535 5.7.8 Authentication credentials invalid\"; 
          --flow from_server,reversed; --track dst_ip; --rate 2,90,limit;)"
  set comment "3 failed SMTP authentication attempts within 2 minutes"
    next
end

 

This signature works as the offending IP is quarantined successfully and can be viewed in the list using 

diagnose firewall ip_host list
however quarantine occurs for any traffic after the first rejected login, rather than after the second as expected. If I change the rate to 6, 120 then the email server ban kicks in before any quarantine takes effect (the email server bans the IP after a third failed auth attempt).

 

Can anyone point to what I'm missing or guide me how best to debug this?

Labels:
3417
0 Kudos
3 REPLIES 3
emnoc
Esteemed Contributor III

Created on ‎05-20-2015 12:17 PM

This is ken

 

Try removing the limit from the  count & see if that works. The below should be 2 failures in 90 seconds.

 

--track dst_ip; --rate 2,90;

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1838
0 Kudos
x_member
Contributor
In response to emnoc

Created on ‎05-20-2015 12:30 PM

Thanks for responding Ken. I've a feeling I may have tried that today but can't be sure so I'll give it a proper whirl tomorrow morning when my head is clear and the coffee is fresh. I had a feeling you might be on here but wasn't sure so feel free to ignore my pleas for help on the blog post. The blog's been a great help to an old dog trying to learn new tricks :)
1838
0 Kudos
x_member
Contributor
In response to emnoc

Created on ‎05-21-2015 12:21 AM

emnoc wrote:

This is ken

 

Try removing the limit from the  count & see if that works. The below should be 2 failures in 90 seconds.

 

--track dst_ip; --rate 2,90;

 

Mea culpa Ken.

 

Having consulted with the mail administrator this morning and looked at the night's logs it's clear that my testing must have been flawed - the rate is indeed working.

 

Many thanks for responding.

1838
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.