Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bueford
New Contributor

Repeated intrusion attempts by IP source in China

Hello, Over the last 2 weeks our Fortigate 80C as been detecting failed attempts to login as an administrator from some IP address in China. An example message: The following critical firewall event was detected: Critical Event. date=2013-09-11 time=22:11:14 devname=vpn devid=FGT80C3909609079 logid=0100032002 type=event subtype=system level=alert user=" admin" ui=ssh(121.134.21.116) action=login status=failed reason=" passwd_invalid" msg=" Administrator admin login failed from ssh(121.134.21.116) because of invalid password It' s always from the same IP address. Is there something I can do to block attempts from this IP address? Thanks
10 REPLIES 10
mhe
Contributor II

yes, don' t allow ssh on your wan interface. Use VPN to configure the Forigate.
bueford
New Contributor

just disabled SSH on the WAN interface. thanks MHE
sachinkapoor

you can Disable SSH THrew WAN interface

 

System>Network>Interfaces>WAN1 or WAN2 uncheck Check box of SSH

 

Click ok

MikePruett

moving the ssh port to a non standard port is all fine and dandy but the chinese are just going to scan the whole thing anyways and find what ports are listening.

 

Disable SSH on the external interface or kick on 2FA and hope for the best. In the end it is about the amount of risk you are willing to accept.

Mike Pruett Fortinet GURU | Fortinet Training Videos
emnoc
Esteemed Contributor III

Or move the ssh port to some other port than tcp/22. I run al of my FGT that I manage remotely on port tcp/XX22. Do that little trick, will eliminated 99.99% of those brute force/disctionary password attempts.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

emnoc, now they only need to check 99 ports to get to your FGT... but yes, the HTTPS and SSH admin ports should be reassigned as a Best Practice. I do as well.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
bueford

I did that for HTTPS many many moons ago. I' ll do it for SSH as well. Can' t remember where to go though ... I' m on FortiOS v5.0,build0208 thanks for the info.
pyy
New Contributor III

1. Configure trusted Public host address/es that are able to login

2. Disable the access on the external interface

ede_pfau
Esteemed Contributor III

I wonder why nobody (including me) mentioned 'local-in policies' with a geo-location as source address - usually you can block North Korea, China, Brazil without any drawbacks.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors