Description
Solution
1. Set Trusted Hosts to allow connection only from known and trusted IP addresses
From the GUI, go to : System > Admin > Administrators > edit required account and set Trusted Hosts (could be a single host or a whole subnet, that are allowed to connect to the FortiGate )
2. Change the SSH port from the default (22) to another port
From the GUI, go to : System > Admin > Settings > edit SSH port (set for example to 2223).
3. Increase the lockout time to deter the less patient
Run from the CLI:
(Default value is 60 seconds)
4. Use long and complex passwords
Do not use dictionary words and trivial key combination such as 'qwerty'
Force strong admin passwords by setting password policy from System > Admin > Settings > Password Policy
5. Remove the account named "admin" after having created other account(s) with a super_admin profile.
See also the related article "Rename or disable an admin account"
A brute force attempt (or attack) to the administrator account login may be diagnosed by the following logs events, seen repetitively and/or in quantity (assuming Event log and Admin events are enabled) :
Administrator root login failed from ssh(xxx.xxx.xxx.xxx) because of invalid user name
...and after a few failed log messages the following message will be seen:
Login disabled from IP xxxx for 60 seconds because of too many bad attempts
In most cases these logon attempts are generated by automatic hacker tools running on many compromised computers and scanning for live ssh targets in order to exploit known vulnerabilities or/and perform password brute force.
This article provides some tips as to how to avoid this.
Solution
1. Set Trusted Hosts to allow connection only from known and trusted IP addresses
From the GUI, go to : System > Admin > Administrators > edit required account and set Trusted Hosts (could be a single host or a whole subnet, that are allowed to connect to the FortiGate )
2. Change the SSH port from the default (22) to another port
From the GUI, go to : System > Admin > Settings > edit SSH port (set for example to 2223).
3. Increase the lockout time to deter the less patient
Run from the CLI:
| config system global set admin-lockout-duration 600 end |
4. Use long and complex passwords
Do not use dictionary words and trivial key combination such as 'qwerty'
Force strong admin passwords by setting password policy from System > Admin > Settings > Password Policy
5. Remove the account named "admin" after having created other account(s) with a super_admin profile.
See also the related article "Rename or disable an admin account"
Related Articles
