We have a lot of Attacks report against our FORTIGATE 90D.
What's correct to do in that case? turning off service SSH? create rules to block a list of suspect IPs?
Thank in advance for any sugest or information, I attached a example of report
1: don't use port 22
2: enable two-factor
3: use SSLVPN and then allowaccess ssh for ssl.root this will force the admin to come in via ssl and then you trust that ssl.pool address over the ssl.root interface
4: use trusthost
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
As long as you have tcp.port 22 open and no trusthost, you will ALWAYS have failed logins for the common accounts
PCNSE
NSE
StrongSwan
thanks for replying me!
I go try your suggestions and post the result
Best regards
If you don't really require SSH on WAN just deactivate it. If you do need it you should at least restrict login to those subnets you need to allow access.
1> I would never run tcp.port 22 for SSH on a public-internet
2> if you look at the screenshot these same useracounts are always going to show up ( root admin Admin administrator support etc....
3> deploying ssh access over tcp.port 2022 for example, would reduce or eliminate this issue
4> deploying a SSH portal access ( they have to login via SSLvpn ) and then allowaccess over the ssl.root interface is even more better imho
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.