Fortinet VPN lots of failed logins from bots/hackers- how to stop this

We have a Fortigate 60E which is running FortiOS 6.4.4 and the SSL-VPN has been setup for years with 2FA and never really had any problems. However we are now getting around 15 failed login attempts a day (spread out) from different IP addresses and wondered if there is anything I can do to prevent this?

The users they are trying to login as are the usual suspects admin, administrator, vpn, etc and of course none of these exist and all our accounts are set with strong passwords + 2FA. Also one thing to note is our vpn url is something like vpn.domainname.com so maybe this doesnt help for keeping it hidden?

Is it just a case of keeping an eye on it or can we maybe block fortinet vpn down to country or some other technique to stop them trying to connect.

Use geographic range address object to limit logins to your country of operation.

Regional IP Blocks, when you know you cannot get logins from foreign countries. If you cannot know, that is obviously no option. Nothing you can do then, except for requiring client certificates. Which is not often an option, as this requires to have fully managed devices.

On the other hand … 15 login attempts that can not succeed… Who cares.

Who really cares about failed login attempts? Use MFA.

All that stuff is likely scripted using IPs, there’s little point in “hiding” the FQDN.

for a smaller shop, possibly log scraping with a deny list ( akin to fail2ban ) as well as geo restrictions?

That’s odd you bring that up we haven’t seen this level of VPN attempts in the past year. Just started going nuts last night trying to connect. Wonder why?

FQDN makes it easier only if they are spear targeting you. 99% of those failed attempts are coming from port scans coming across the internet. They’re just scanning every IP, every port, finding the portal that way. The certificate will give them the fqdn the first time they find it anyways so who cares…

You can set your failed login timeout to block them for days. That should cut down on things for a while, and hopefully they just give up and go away by the time that expires.

If you feel really ambitious, you can make a script and Python code to make a list of banned IPs, auto add them when they trip the failed login a ridiculous number of times, and move on with life.

Here’s a script to block SSL-VPN logins on port 10443 from “known bad” countries.

I had constant VPN attempts… it turned out to be someone that had my IP and An IPSec configured to that IP. They canceled the IP, but never removed the IPSec config. Was really hard to figure out what it was, but I could have just blocked the IP.

Recently I got a lot of this too, so annoying

You can’t really. You might be able to limit where you allow connections from but at the end of the day you’re running a service on the Internet that people need to connect to. You will see failed connections and login attempts when you have anything open to the world. Make sure you have 2-factor setup on your VPN and you keep the code on your endpoint (fortigate/vpn server/whatever) patched. We’ve had over 6K failed login to our VPN so far in August. Probably mostly just people typing their passwords wrong but I’m sure there’s other bad people trying to get in as well.

Totally agree with everyone on the GeoIP blocking / masking the FQDN to not be VPN or Remote or SSLVPN. I would also recommend a non-standard port.

Same here since only 3 days. I use 10443 and and obscure url. For 5 years this way. Not even 1 attempt in 5 years.now arpund 5- a day for admin, vpnuser, etc. Wonder how they got it… would it be some “sniffing” thing on our holiday adresses?

Ah yes… The failed ssl login attempt since last three days. I Will go with the geoblock thing. Most attempts are from india.

Same here. For the several clients with vpn enabled, we’re seeing failed login attempts every 15 minutes. It’s been noisy in our ticketing system.

I have monitored this. The bot tries every 10-11 minutes from different ip addresses. Also it is now going to try with different usernames.

Example ip addresses:
101.181.66.8
171.100.221.164
185.113.173.86
212.92.15.94
87.68.224.171
14.185.224.108
178.251.46.82

Example usernames:
administrator
administrador
vpn
vpnuser
admin
aadmin
badmin
cadmin
dadmin
etc.

I wonder if and how I can “see” the passwords they are trying…

This has been happening at my company for the past few days. Never had this happen before that.

For me it started 4 days ago…yesterday i put the geoblock and no more attempts since …tks for the post.

Since 8/19-21 we have the same problem.

I had 300 emails this morning because of false logins, is the SSL web portal prevented from being accessed when I enable Geographical Blocking ?

FortiOS 6.4.6

I would +100 this if I could. Geo-fenced a (multinational) customer recently for specifically this reason. They only had legit traffic out of 3-4 countries. This cleaned the logs up of attacks on the VPN and other things pretty nicely.