Automatically Quarantine IPs that Attempt to Telnet etc. from Wan?

tanr · ‎09-27-2016

Hi All,

Fortigate 300D v5.4.1, seeing lots of attempts to telnet, ssh, etc. into wan facing interfaces.

Can anybody recommend a good way to automatically quarantine IPs that attempt telnet, ssh, or similar to our wan facing interfaces?

I'd like to both quiet the logs and make any brute force attempts less likely - there is no admin access on these interfaces, but even so.

In a similar vein, is there a good way to blackhole these connections? Not sure how to do that for a particular service like telnet to wan interface.

emnoc · ‎09-27-2016

I would not waste my time with that, you need to trust your firewall. if you have no admin-services enable on the untrusted-internet wan interface, why care if someone is wasting their time with a telnet or ssh probe?

PCNSE

NSE

StrongSwan

tanr · ‎09-27-2016

Good point. I'm not worried about the telnet attempts getting in, really.

I would like to figure out how to quiet or consolidate the thousands of logs generated, though.

For now I'm just adding -service=TELNET,SSH,PING,HTTPS to most of my FortiAnalyzer log views of (external) policy violations.

Mehdi · ‎09-27-2016

Hi tanr,

can you post a pic of your logs? are those logs in Anomaly log?

ede_pfau · ‎09-28-2016

You could write a custom IPS signature for failed login attempts, and have it block the source IP address if triggered. In v5.2 (?) rate limited IPS signatures even can be written in the GUI.

Has been treated (with examples) several times around here, search for 'rate limit' or such.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

tanr · ‎09-28-2016

@ede,

Thanks for the tip, I've found a couple examples and will try them out.

@Mehdi,

Logs are visible in Log & Report > Forward Traffic Log, also in Fortiview > Threats > Blocked by Firewall Policy.

I also look at them from a few custom FortiAnalyzer views.

RedMt · ‎09-28-2016

Great question! I shut down admin access on the WAN ports to quiet the logs, which had the unintended consequence of shutting down pings to those ports as well. If you find a signature that works well please share it.

emnoc · ‎09-28-2016

If it's failed telnet/ssh to the FGT a IPS custom signature would not work.

PCNSE

NSE

StrongSwan

nothingel · ‎09-29-2016

I use local-in policies to control access to administrative services. This thread may be of interest:

https://forum.fortinet.com/tm.aspx?m=126290

(In case the link doesn't work now or in the future, the subject is "Unauthorized user attempt" started July 27, 2015.)

tanr · ‎09-30-2016

It looks like services denied explicitly by local-in-policy are passed directly to the implicit deny and logged there, while administrative access services that are only implicitly not available on a port (for example, when allowaccess doesn't include telnet or ssh) must go through the set of security policies till they find a match.

I want to have the Implicit Deny logging everything that falls to it, but filter out the telnet, ssh, etc. attempts.

So, it seems I can clean up my logs by

[ul]

Making sure that allowaccess for the wan ports does not include telnet and ssh (already doesn't)

NOT having local-in-policy explicitly block telnet and ssh (so they don't get logged in the Implicit Deny)

Adding a security policy early on that matches source interfaces to the wan ports and services to TELNET,SSH,PING which denies these.[/ul]

I can then either have that security policy not log anything (not good, really), or adjust my FortiAnalyzer views to normally filter out logs from that service policy.

Does this seem reasonable?

Ad Filter