Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mturic
Staff
Staff

Created on ‎06-19-2020 03:25 AM Edited on ‎02-07-2024 11:20 PM By Moderator

Article Id 192015

Technical Tip: How to prevent brute force attempts to a FortiGate administrator account login

Description

 

A brute force attempt (or attack) to the administrator account login is diagnosed by the following logs events, seen repetitively and/or in quantity (assuming Event log and Admin events are enabled):

 

Administrator root login failed from ssh(xxx.xxx.xxx.xxx) because of invalid user name.

 

After a few failed log messages the following message will be seen:

 

Login disabled from IP xxxx for 60 seconds because of too many bad attempts.

 

In most cases, these logon attempts are generated by automatic hacker tools running on many compromised computers and scanning for live SSH targets to exploit known vulnerabilities or/and perform password brute force.

This article describes how to avoid this.

Solution

 

  1. Set Trusted hosts to allow connection only from known and trusted IP addresses.

    From the GUI, go to System -> Administrators, edit the required account, and set trusted hosts (can be a single host or a whole subnet, that are allowed to connect to the FortiGate).



 
 
Note that if only one administrator account does not have trusted hosts set, FortiGate will allow access to the admin resources (HTTP/S, SSH) from all IP addresses.
In this case, it will only limit the other admins with set trusted hosts to access from those hosts.
 
  1. Change the SSH and HTTPS ports from the default (22 and 443) to different higher ports.

    From the GUI, go to System -> Settings, and edit the SSH port (set for example to 2202) and HTTPS port (set for example to 10500).
     
     
     
  1. Increase the lockout time to deter the less patient.

    From CLI.

    config system global
        set admin-lockout-duration 600         <----- Default value is 60 seconds.
    end

  2. Use long and complex passwords.

    Do not use dictionary words and trivial key combinations such as 'qwerty'.
    Force strong admin passwords by setting password policy from System- > Settings -> Password Policy.
     
     
     
     
  3. Remove the account named 'admin' after having created other account(s) with a super_admin profile.
     
  4. Configure local-in policy to block administrative access from attackers or malicious IPs trying to get into the FortiGate. To configure the local-in policy, follow the steps from the below link:
     

Related Articles:

Technical Tip: How to delete or rename the default 'admin' user

Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access ... 

19178
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.