Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jinto26
New Contributor

SSL VPN Logging & Brute Force Attacks

Hey everyone, I have a customer who is constantly being attacked on our SSL VPN interface. I enabled block policies after 3 failed attempts and they get blocked for 6 months. It worked well for a little while but now they are using spoofing to change their IP every attempt. So rendering my blocking useless. I wouldn't care so much but I am constantly getting failed login attempt alerts emails now. Super annoying. I've gotten 5 since I've started writing this. Anyway, anyone see any way that I could stop this from happening? I would like to keep the logging on as its useful for me but I am thinking about just turning it off completely as this point.

192.168.0.1 router login 192.168.l.l
4 REPLIES 4
BK_Bianko
New Contributor

Just to say that we have been experiencing the same for more than one month. Dozens alerts each hour. It's really annoying.

 

Francesco

subramanis
Staff
Staff

Hi BK_Bianko/jinto26,

Thank you for contacting Fortinet Forum

 

I think this might resolve your problem, Please check the below document

 

Restrict access to the SSLVPN service from expected country https://kb.fortinet.com/kb/documentLink.do?externalID=FD48235#:~:text=Go%20to%20VPN%20%2D%3E%20SSL%2....


Along with the limitation of the connections from abroad, you might follow this KB https://kb.fortinet.com/kb/documentLink.do?externalID=FD48714 and configure SSLVPN login limits along with the blocking duration of incorrectly entered credentials.


To hide FortiGate login page using local-in-policy https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-hide-FortiGate-login-page-using-loc...


Thanks
Sasikumar.S

rreinsch

Restrict access to the SSLVPN service from expected country worked like a charm. Can't believe I didn't think of that.  Thanks!

IbraMass
New Contributor

@jinto26 
Were you able to block these attempts on an IP Level or user level ?
I am aware of the blocking on a user level. However, If some actors try random users, is there a way to block their IP's ? I have implemented the limit of IP's from "VPN Settings" but was thinking if there is another way to even do the blocking for these allowed countries as well. 

Labels
Top Kudoed Authors