Hi all
I am looking for a solution to autoblock failed SSLVPN logins like is described here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-permanently-block-SSL-VPN-failed-logins/ta-p/287171
Now we have several thousand attempts each day and adding the IP’s to an address group has its limits. I want to use an external Threat Feed which I can add an IP to each time one fails to login into SSLVPN. Ideally through an API call.
I tried looking into Github and such but Github requires you to convert your API call to base64 so no option to do that from the Fortigate GUI/CLI. Anyone have any options? Any selfhosted solutions that could host a textfile and be update/appended with a simple API call?
Thanks in advance!
Did you put SSLVPN already on loopback and use ISDB blocking? (anonymous vpn, tor, bulletproof, malicious, scanners, …)?
I went down to ~ 1% of the logon attempts i’d before.
Talos and Proofpoint IP Blocklists are also nice to add via feed.
here is my entire SSLVPN config
it uses auto block using the ~20 most common user names attempted, uses ISDB, uses ASN block lists, geo blocking etc.
https://github.com/wallacebrf/dns/blob/main/SSL_VPN%20Config%20with%20loopback%20and%20auto-block.txt
We have our SSLVPN pointing to NPS servers, so we can query the event logs on those, pull the public ip’s, get counts on how many attempts within a time range, and add it to a text file we use for an internal threat feed. I use Powershell to query the NPS event logs and parse out the public IP’s.
Had a similar problem. Solved it using automation stich on the FGT side by sending a webhook to AWS API gateway, which triggers lambda function. Lambda function writes an IP address to a file that is stored on the S3 bucket. Afterward, I use an S3 public url as an external threat feed in the policy. Works like a charm.
sslvpn behind the loopback and a couple of feeds along with country blocking took us down from hundreds a day to a couple a week. even those that do pop up, i’ve set the auth failure to block on the first failure for 24 hours and email me the IP. i have a private feed to add the IPs to for those, but when I add them, the whole /24 of the offending IP gets blocked. since it’s crappy hosting companies mostly, it gets solved pretty quickly. have been running like this for a few months now and i have yet to have it impact a single legit user…probably because auth is MS SAML so there’s no local users to hammer away at and anything that connects directly is going to be bogus.
I usually use the IPS trigger, use it to quarantine the host, then have a Linux machine go every 5 minutes and collect the quarantine IPs from all my customers’ Gates.
Correlate, and spit out a text file that they all download every 10 minutes.
Result: trip IPS on one of my customers, you’re banned within 15 minutes at ALL my customers. Buhbye.
I was able to build it in about 4 days in my very first “I should try to learn python” project years ago. Now with over 175,000 IPs in the list, I typically get 2-3 false positives I have to fish out per year.
I also made a ./c script where I can just run /c to check if it’s in the list already, display the line number, and if it’s missing add it and do a reverse dns lookup for me so I can identify easily if a bunch of IPs are related. For instance I have an ISP in HK that loves to script kiddie my sites. When I come across these I’ll usually manually add the /24 or whatever…
I’m not going to share the script, as it’s probably horribly written… it’s not documented, and only my crazy ADHD brain can probably follow it.
but just so you know, it can be done, and not that difficult.
I did this manually each morning and built my own threat lists from it. Through this I was able to build a hit list of ASN’s and block them entirely instead of playing cat & mouse with singleton IP addresses.
Over 9 months I patiently responded to VPN attacks and blocked any subnet an IP address belonged to. Any ‘Hosting’ ASN that had 5 or more attempts was completely blocked.
I now have about 35 ASNs blocked consisting of 24,000 subnets. I get about 5500 sslvpn hits per day and havent had a single successful attempt make it past my deny policy in the last 3 weeks. Since June I’ve had 600,000 attempts and can count on my hang the number of times a bad actor has even made it to the point of trying credentials these days.
Unless you have a reason to allow access to your VPN from hosting service providers, just block whole networks as you come across them.
To your question: I have been casually looking around for a better way to build my lists automatically and could always find a reason why one method or another wont work out. At this point the clouds may have parted so I havnet been looking as hard anymore. As another person said, pulling data from NPS logs would be the easiest. Its CSV format so thats easy enough to work with.
Is cert auth even a thing anymore? I mean prevent SSL from establishing altogether.
Hi, I am now getting lots of SSLVPN attempts and looking at these posts in reddit.
I just did the ISDB blocking, Geo blocking and put the SSLVPN on loopback. I used IPThreat.net feed 100% but not sure how good it is
I am checking the IPs that are coming in and they are from normal ISPs in Canada
I am wondering how good IPThreat.net is as a threat feed
Yes, did all that and added several external threat feeds as well. Still get thousand of attempts on our firewall.
How do you do this ? I’m fortunate to not be in the states so I can geo block them out
This is really smart, kudos!
Do you also check the country the IP is from? If you have clients connecting from a few countries you could also create a local-in policy to allow it only from predefined countries in combination with the things you already do
Do the same with syslog & crown job / script that is generating a threat feed for consumption…
Thanks for this! Will give it a try with our FortiAnalyzer
Only 175,000 IPs and you’re sailing smoothly? I resorted to banning subnets. Over 20k of them now which is something like 5,800,000 IPs (if were only talking /24’s)… I also review our logs daily and any clusters of SSL ‘close notify’ messages I see also have their subnets/asns blocked. This is a way attackers can monitor the presence of a VPN portal without actually triggering detection systems.
Like you, I have these threat lists propagate to all my firewalls. Makes things very stable.
Honestly, if you’re running updated and secured versions of your firmware, you should be safe. I like to do this in order to secure my security footprint. If some nasty 0-day lands, the most obvious attack vectors are already plugged. Threat actors so carelessly spray attacks from every network they can utilize that it helps people like us lock our stuff down that much. It only makes their job harder when they actually have something they might be able to exploit.
Threat actors: Thanks for showing your hand so early in the game.
if you are interested, here is the list of ASNs i use for different hosting providers. every one of these has attempted to log into my system multiple times.
https://github.com/wallacebrf/dns/blob/main/ASN_LIST.txt
you need to use ASN blocking. it was not until i started blocking the ASN ranges of all of the major world server rental companies that i got my log in attempts down to around 2-3 per month. take a look at my other reply with a link to my setup.
here is the list of ASNs i block
https://github.com/wallacebrf/dns/blob/main/ASN_LIST.txt
and here is the block list. i update it periodically.
https://github.com/wallacebrf/dns/blob/main/asn_block1.1.txt