AnsweredHot!Only Allow SSH from certain country

Author
nbctcp
Bronze Member
  • Total Posts : 46
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
2019/10/11 10:12:28 (permalink) 6.2
0

Only Allow SSH from certain country

Let say I have file ID.txt that contain Indonesia ip subnet
223.130.20.0/22
223.164.0.0/16
223.165.4.0/22
223.255.224.0/21
it contains 2700 ips
 
GOALS:
1. only allow SSH from those ID.txt
2. block those ips that from Indonesia that doing Brute Force ssh attack with 5x consecutive failure
 
QUESTIONS:
1. How to achieve that
tq
#1
ede_pfau
Expert Member
  • Total Posts : 6127
  • Scores: 496
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Only Allow SSH from certain country 2019/10/11 11:10:25 (permalink)
0
1. create an address object for each IP
2. create address group(s) (a group may only hold a certain number of addresses, or other groups)
3. create a local-in policy, allowing this address group as source, service=SSH
 
Look here https://www.beneicke-edv.de/support/tools/ for a python script I wrote for exactly this task. The page is in English.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
nbctcp
Bronze Member
  • Total Posts : 46
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Only Allow SSH from certain country 2019/10/11 15:57:51 (permalink)
0
GOALS
1. ANSWERED BY YOU

config firewall address
    edit "GEO_ID"
        set uuid 992c53f4-ec74-51e9-b083-6714337c388e
        set type geography
        set country "ID"
    next
    edit "GEO_SG"
        set uuid afcffba6-ec74-51e9-f22b-25a40302a11f
        set type geography
        set country "SG"
    next
end
 
config firewall addrgrp
    edit "GEO_ALL"
        set uuid c60f7964-ec74-51e9-05e0-0d79566490db
        set member "GEO_ID" "GEO_SG"
    next
end

2. Is there a log that shown SSH brute force attack to FortiGate.
Or maybe, I should pump Forti log to external linux syslog and install logwatcher there.
So that it can watch specific ssh login failure.
then set a script something like this
https://forum.fortinet.com/tm.aspx?m=138845
 
ede_pfau
1. create an address object for each IP
2. create address group(s) (a group may only hold a certain number of addresses, or other groups)
3. create a local-in policy, allowing this address group as source, service=SSH
 
Look here https://www.beneicke-edv.de/support/tools/ for a python script I wrote for exactly this task. The page is in English.




#3
emnoc
Expert Member
  • Total Posts : 5389
  • Scores: 353
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Only Allow SSH from certain country 2019/10/11 16:21:42 (permalink)
0
Also, you can change the service-port to something not tcp.port 22, that will eliminate 99% of any ssh login password attacks. Also eliminate the default admin account from the "config sys admin" 
 
 
Ken felix
 

PCNSE 
NSE 
StrongSwan  
#4
nbctcp
Bronze Member
  • Total Posts : 46
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Only Allow SSH from certain country 2019/10/11 19:35:51 (permalink)
0
Yeah,
Fortigate didn't support like Mikrotik does i.e
-Tarpitting
https://wiki.mikrotik.com..i/DoS_attack_protection
-Port knocking
https://wiki.mikrotik.com/wiki/Port_Knocking
 
Current Solution:
1. disable ssh on WAN, only enable on LAN
2. admin from outside must use VPN
3. like you said
change ssh port
change admin user. create blackhole admin user
#5
emnoc
Expert Member
  • Total Posts : 5389
  • Scores: 353
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Only Allow SSH from certain country 2019/10/12 07:39:43 (permalink) ☼ Best Answerby nbctcp 2019/10/22 20:07:22
0

Fortigate didn't support like Mikrotik does i.e
-Tarpitting
https://wiki.mikrotik.com..i/DoS_attack_protection
-Port knocking
https://wiki.mikrotik.com/wiki/Port_Knocking
 

 
No "commercial" firewall that I know of does NOT support port-knocking. Also keep in fail-timeout is a security feature that will deny failed-logins per src-ip. The fact of trsuted host, MFA, changing-admin-port, and elimination of the name admin account is 99.99% of your sys hardening to keep the FGT safe
 
  config sys admin 
 
 (admin) # rename admin to noadmin
 
 (admin) # del noadmin
 
 (admin) # end
 
Do that from the newly created super_admin
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#6
fernandezm_FTNT
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/14 02:46:59
  • Status: offline
Re: Only Allow SSH from certain country 2019/11/01 20:08:10 (permalink)
0
There are a few ways to skin this cat.  Depending on the version of FortiOS you are running.  In 6.2 we introduced "Dynamic Address Lists" you can set up a web-server internally as an example and add the IP addresses you want to block.  The Fortigate will pull the list of IP addresses from the server and create a dynamic address group you can use in your policies. 
 
NOTE: 6.0 had a limited functionality feature where it ONLY worked in conjunction with DNS.  That is, if 1.1.1.1 was a bad guy, and you opened your browser and typed www.goodguy.com and the DNS server responded with 1.1.1.1, it would block it, however if you opened your browser and typed http://1.1.1.1 it would allow you to go.
 
Also noteworthy, if you are using 'Central NAT' you do not have to worry, however if you are using policy NAT and using the vip as the destination IP in your policy, you will need to create a policy containing the all the VIPs you want to protect from the geo list or 'set match-vip enabled'  
 
Check out an article I wrote on both the Dynamic Address Objects and the VIP Issue. As well as a geo script to add all countries
#7
nbctcp
Bronze Member
  • Total Posts : 46
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Only Allow SSH from certain country 2019/11/02 03:19:43 (permalink)
0
This  Dynamic Address Objects is interesting, but you said is block.
Let say I have 2000 ip's
What if I want ALLOW from those ip's to ssh to my fortigate
 
fernandezm@fortinet.com
There are a few ways to skin this cat.  Depending on the version of FortiOS you are running.  In 6.2 we introduced "Dynamic Address Lists" you can set up a web-server internally as an example and add the IP addresses you want to block.  The Fortigate will pull the list of IP addresses from the server and create a dynamic address group you can use in your policies. 
 
NOTE: 6.0 had a limited functionality feature where it ONLY worked in conjunction with DNS.  That is, if 1.1.1.1 was a bad guy, and you opened your browser and typed www.goodguy.com and the DNS server responded with 1.1.1.1, it would block it, however if you opened your browser and typed http://1.1.1.1 it would allow you to go.
 
Also noteworthy, if you are using 'Central NAT' you do not have to worry, however if you are using policy NAT and using the vip as the destination IP in your policy, you will need to create a policy containing the all the VIPs you want to protect from the geo list or 'set match-vip enabled'  
 
Check out an article I wrote on both the Dynamic Address Objects and the VIP Issue. As well as a geo script to add all countries




#8
fernandezm_FTNT
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/14 02:46:59
  • Status: offline
Re: Only Allow SSH from certain country 2019/11/02 05:38:24 (permalink)
0
Yes absolutely.  Allow or Block 
#9
fernandezm_FTNT
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/14 02:46:59
  • Status: offline
Re: Only Allow SSH from certain country 2019/11/02 05:44:29 (permalink)
0
Here is the screenshot from my post,  You can choose the IP address list as a source or destination and choose accept or deny
 
 

Attached Image(s)

#10
Jump to:
© 2019 APG vNext Commercial Version 5.5