What's the best way to block external SSH Attacks

dirceualbrecht · ‎07-06-2017

We have a lot of Attacks report against our FORTIGATE 90D.

What's correct to do in that case? turning off service SSH? create rules to block a list of suspect IPs?

Thank in advance for any sugest or information, I attached a example of report

emnoc · ‎07-06-2017

1: don't use port 22

2: enable two-factor

3: use SSLVPN and then allowaccess ssh for ssl.root this will force the admin to come in via ssl and then you trust that ssl.pool address over the ssl.root interface

4: use trusthost

http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html

http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

As long as you have tcp.port 22 open and no trusthost, you will ALWAYS have failed logins for the common accounts

PCNSE

NSE

StrongSwan

dirceualbrecht · ‎07-06-2017

thanks for replying me!

I go try your suggestions and post the result

Best regards

Zac67 · ‎09-01-2017

If you don't really require SSH on WAN just deactivate it. If you do need it you should at least restrict login to those subnets you need to allow access.

emnoc · ‎09-01-2017

1> I would never run tcp.port 22 for SSH on a public-internet

2> if you look at the screenshot these same useracounts are always going to show up ( root admin Admin administrator support etc....

3> deploying ssh access over tcp.port 2022 for example, would reduce or eliminate this issue

4> deploying a SSH portal access ( they have to login via SSLvpn ) and then allowaccess over the ssl.root interface is even more better imho

Ken

PCNSE

NSE

StrongSwan