We have a Fortigate 60E which is running FortiOS 6.4.4 and the SSL-VPN has been setup for years with 2FA and never really had any problems. However we are now getting around 15 failed login attempts a day (spread out) from different IP addresses and wondered if there is anything I can do to prevent this?
The users they are trying to login as are the usual suspects admin, administrator, vpn, etc and of course none of these exist and all our accounts are set with strong passwords + 2FA. Also one thing to note is our vpn url is something like vpn.domainname.com so maybe this doesnt help for keeping it hidden?
Is it just a case of keeping an eye on it or can we maybe block fortinet vpn down to country or some other technique to stop them trying to connect.
Regional IP Blocks, when you know you cannot get logins from foreign countries. If you cannot know, that is obviously no option. Nothing you can do then, except for requiring client certificates. Which is not often an option, as this requires to have fully managed devices.
On the other hand … 15 login attempts that can not succeed… Who cares.
That’s odd you bring that up we haven’t seen this level of VPN attempts in the past year. Just started going nuts last night trying to connect. Wonder why?
FQDN makes it easier only if they are spear targeting you. 99% of those failed attempts are coming from port scans coming across the internet. They’re just scanning every IP, every port, finding the portal that way. The certificate will give them the fqdn the first time they find it anyways so who cares…
You can set your failed login timeout to block them for days. That should cut down on things for a while, and hopefully they just give up and go away by the time that expires.
If you feel really ambitious, you can make a script and Python code to make a list of banned IPs, auto add them when they trip the failed login a ridiculous number of times, and move on with life.
I had constant VPN attempts… it turned out to be someone that had my IP and An IPSec configured to that IP. They canceled the IP, but never removed the IPSec config. Was really hard to figure out what it was, but I could have just blocked the IP.
You can’t really. You might be able to limit where you allow connections from but at the end of the day you’re running a service on the Internet that people need to connect to. You will see failed connections and login attempts when you have anything open to the world. Make sure you have 2-factor setup on your VPN and you keep the code on your endpoint (fortigate/vpn server/whatever) patched. We’ve had over 6K failed login to our VPN so far in August. Probably mostly just people typing their passwords wrong but I’m sure there’s other bad people trying to get in as well.
Same here since only 3 days. I use 10443 and and obscure url. For 5 years this way. Not even 1 attempt in 5 years.now arpund 5- a day for admin, vpnuser, etc. Wonder how they got it… would it be some “sniffing” thing on our holiday adresses?
I would +100 this if I could. Geo-fenced a (multinational) customer recently for specifically this reason. They only had legit traffic out of 3-4 countries. This cleaned the logs up of attacks on the VPN and other things pretty nicely.