been getting hammered with random IP login attempts spaced out perfectly so our VPN appliance (Ivanti inSecure) can’t block them, most are testuser, scan, or test. snippet below, not even first octect matching in first bunch. so, how can I confirm these are in a block list already (ie, would a block list even help me), and… I’ll google for instructions on how to implement it(but I’ll take recommendations/tips!)
edit, looks like first few don’t show up on Cisco Talos… so, I feel honored to be getting hit by fresh IPs.
80.66.88.91
45.159.22.150
5.183.255.25
93.177.119.143
193.233.91.39
89.47.55.159
85.239.38.132
193.202.82.46
77.220.194.111
217.145.226.57
83.142.55.26
185.152.93.188
212.119.45.129
194.104.10.113
Why not migrate to Fortigate for vpn? Ivanti seems like it’s just a complete security shit show at this point.
i block large numbers of ASNs for server hosting providers and i now get next to zero attempts
here is the list of the ASNs
https://github.com/wallacebrf/dns/blob/main/ASN_LIST.txt
and as of last month when i last performed an update, here are all of the address ranges i currently block:
https://github.com/wallacebrf/dns/blob/main/asn_block1.1.txt
can you block and or allow connections from only certain countries in your Ivanti inSecure device? the geo-blocking also really helps cut down on the amount of actors who can successfully can your device
If they are hitting the IPS sensor, you could set the IPS Sensor to quarantine. That would block the source IP for however long you set.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/583477/configuring-an-ips-sensor
we’re going to go to something more expensive… Cloudflare. one day, not yet. yes, it’s a shitshow. but Fortigate VPN get’s those nasty, “patch now” things too.
I can’t block by country (afaik) in pulse, but I can in fortigate of course, BUT a bunch of these are from the Netherlands, and we some service from there. so… damn. first IP I checked, 80.66.88 wasn’t in the list. another darn it! but blocking whole ASN’s might work. is that the same process as blocking an IP?
Yea but only the SSL-VPN implementation (and really that seems to be where the VPN vuln’s are for all vendors). IPSec I haven’t seen any vulnerabilities for in years.
on a fortigate, you can create an “external threat feed” and use that .txt file right off github (i update it once and a while) and then use that in your policy and set to DENY.
you can do this in several ways on fortigate. you can do it through the SSL VPN settings, and enable “source address negate” and add that as an address group under the allowed IPs. with the negate option enabled, it flips the logic, so it will then block those addresses, instead of only allowing those IPs
you can make a local in policy and block the addresses in the list
or the best option would be to use a loop back interface and use the threat feed as a DENY policy.
i use the loop back interface and i block the ISDB options built into FortiOS, i block all the countries i do not car about, i block all of the ASNs i mentioned, i have a manual block list when i want to block addresses, but not the entire ASN they are assigned to etc.
agreed, IPSEC seems fairly strong/secure, all vendor SSL VPNs seem to have lots of issues. at least fortigate seems to find a lot of them internally through their own audits and fix them quickly. while vulnerabilities suck, how the companies deal with them speaks more volumes to me
…either use deny, or my personal favourite because I choose chaos — srcaddr-negate enabled, and then allow. “Allow everything that is NOT in this list”… “this list” in my case is my personal blocks, FBI/CSIS/other bad-actor lists, bogon addresses, and I guess I could add this ASN list as well…
I made a Python script that runs on my webserver every 10 minutes and collects IPs in quarantine at a bunch of my customer Gates, updates some source lists from the Internet such as the full-bogon-list and FBis IoCs, puts them all together, takes out duplicates, and publishes a text file on my website. Then every 5 minutes, all my customer gates come retrieve the new version of the file.
Integrated a manual ./check script to manually add an IP as well, that I get notified via email notifications from FortiAnalyzer for customers that are not api-integrated. Go through 100 of those every week and manually add them.
On the customer FortiGate — if you trip IPS High or Critical, you’re added to the local quarantine IP list for 364d23h59m immediately, and subsequently to all my customer FortiGates within 15 minutes.
One day, I want to invest in a FortiDeceptor, and see how that’ll improve my false-positive negation, though I only get a handful of those a year.