Hot!"Too many login failures." by administrator - how to reset lockout?

Author
AlexFeren
Gold Member
  • Total Posts : 154
  • Scores: 6
  • Reward points: 0
  • Joined: 2011/10/05 17:04:08
  • Status: offline
2020/01/23 00:34:55 (permalink)
0

"Too many login failures." by administrator - how to reset lockout?

Hi Fortigurus,
if an administrator has entered "Too many login failures. Please try again in a few minutes..." lockout state, using CLI command, how can I see which administrator is locked-out and what's the CLI command to unlock (before expiry)?
R's, Alex
 
#1

13 Replies Related Threads

    ShawnZA
    Bronze Member
    • Total Posts : 50
    • Scores: 7
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Location: Cape Town
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/23 01:01:52 (permalink)
    0
    Wait for the time to expire and change the thresholds for the lockout
    post edited by ShawnZA - 2020/01/23 01:04:10
    #2
    AlexFeren
    Gold Member
    • Total Posts : 154
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/24 13:26:57 (permalink)
    0
    I was hoping for something more immediate than waiting for timeout.

    Does same answer apply to SSL VPN users?
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8434
    • Scores: 199
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/24 14:26:10 (permalink)
    0
    If you have individual accounts, have another admin log in and look at the logs. Or maybe syslog?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    AlexFeren
    Gold Member
    • Total Posts : 154
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/24 16:22:13 (permalink)
    0
    My issue isn't knowing of lockout but resetting it.
    #5
    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/24 20:32:18 (permalink)
    0
    I think some issues are not clear, when you get the reject it's not for a user but a IP-addr. So the FGT has no clue nor care what the user account is that keeps failing.
     
    The command to see current login users "get sys admin list"
     
    If you need to look for log messages; in the category of events
     
    Ken Felix
     
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #6
    AlexFeren
    Gold Member
    • Total Posts : 154
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/24 23:14:52 (permalink)
    0
    Received alertemails:

    Message meets Alert condition
    The following critical firewall event was detected: Admin login disabled.
    date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login disabled" ui="192.168.1.21" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 192.168.1.21 for 60 seconds because of 3 bad attempts"

    Message meets Alert condition
    The following critical firewall event was detected: Admin login failed.
    date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password"

    Message meets Alert condition
    The following critical firewall event was detected: Admin login failed.
    date=2020-01-25 time=18:06:05 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935965 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password"  

    You're correct, I assumed wrong - the login failures are username/IP-specific, but the lockout (topmost) is IP.
     
    The gist of question still remains, is it possible to undo a lockout (now, from IP, instead of administrator username)? And, does the same apply to SSL VPN lockout?
    post edited by AlexFeren - 2020/01/24 23:27:50
    #7
    ede_pfau
    Expert Member
    • Total Posts : 6184
    • Scores: 510
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/26 11:17:37 (permalink)
    0
    Have you tried
    diag user quarantine list
    diag user quarantine delete src4 x.x.x.x
    ?
     
    It's meant for user quarantine by IPS/AppCtrl but it might apply to admin lockout as well...surprisingly hard to test without a helping hand. If it applies you would see the q'ed IP with the 'list' command.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #8
    AlexFeren
    Gold Member
    • Total Posts : 154
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/26 18:19:07 (permalink)
    0
    Tried.. Entered wrong SSL VPN credentials more than 3 times, browser showing "Too many bad login attempts. Please try again in a few minutes." and received 3 emailalerts, of type:
    Message meets Alert condition
    The following critical firewall event was detected: SSL VPN login fail.
    date=2020-01-27 time=13:13:32 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" eventtime=1580091212 logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=45.125.247.196 user="alex" group="N/A" dst_host="N/A" reason="sslvpn_login_unknown_user" msg="SSL user failed to logged in"
    Interestingly, no alert about lockout!
    On CLI:
    FWF61E4Q16001082 # diagnose user quarantine list
    src-ip-addr       created                  expires                  cause            
    FWF61E4Q16001082 #
     
    #9
    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/26 18:45:10 (permalink)
    0
    I can't think of anything that would let you unlock and user/ip but what is your lock-out time?  1 2 3  mins or what ?
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #10
    AlexFeren
    Gold Member
    • Total Posts : 154
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/27 19:44:53 (permalink)
    0
    emnocwhat is your lock-out time?  1 2 3  mins or what ?



    Ideally, if ADMINISTRATOR can't authenticate, lockout is indefinite. Unlocked only by another administrator.
    post edited by AlexFeren - 2020/01/27 20:21:34
    #11
    ede_pfau
    Expert Member
    • Total Posts : 6184
    • Scores: 510
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/28 02:01:06 (permalink)
    0
    Alex,
     
    invalid SSL VPN logins is not the same as invalid admin logins (what your question was about). Not all situations which appear to be 'similar' need to be handled in a similar fashion in FortiOS.
    SSLVPN is IMHO just a user login, and I would have expected to see violators in the quarantine. But the threshold is def. not set in 'admin-lockout-threshold'.
     
    edit:
    config vpn ssl settings
    set login-attempt-limit {integer} SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no
    limit). range[0-4294967295]
    set login-block-time {integer} Time for which a user is blocked from logging in after too many failed login attempts
    (0 - 86400 sec, default = 60). range[0-4294967295]

     
    and I would expect failed login IPs in User > Quarantine.
    post edited by ede_pfau - 2020/01/28 02:40:06

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #12
    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/28 07:30:58 (permalink)
    0
     Ideally, if ADMINISTRATOR can't authenticate, lockout is indefinite. Unlocked only by another administrator.

     
    Not correct by any means, also when your address is locked out you can use another address and the same admin account to login in. If what you stated was correct, a hacker could conduct a denial of service attack and lock out any "admin" account.
     
    Btw, I never use the default "admin" for the system in a fortigate.
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #13
    AlexFeren
    Gold Member
    • Total Posts : 154
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: "Too many login failures." by administrator - how to reset lockout? 2020/01/28 13:13:47 (permalink)
    0
    Perhaps you scrutinise every alertemail or log messages - you’ll notice consistently wrong credentials indicative of brute force. I don’t/can’t, so, to have this indelibly flagged I want indefinite lockout, requiring human intervention (not just to unlock but to determine context).
    (Our admin trustedhost addresses include a variety of address spaces, including is a static VPN address.)
    post edited by AlexFeren - 2020/01/28 13:19:43
    #14
    Jump to:
    © 2020 APG vNext Commercial Version 5.5