Seems like the only thing that ever hits my VPN anymore is bogus attempts out of VPN provides like ExpressVPN. However, sometimes there’s a lot of them. I’ve been adding the source IP’s /24 as my blocklist, which is fun and all, but I’d rather just let it self manage at this point.
I ran across this list. I spot checked a couple from my logs and they were found in this list for vpns and datacenters. Anyone use this before?
https://github.com/X4BNet/lists_vpn/blob/main/ipv4.txt
I did find a list with tor nodes:
https://www.dan.me.uk/tornodes
I have a 60E; I don’t want to cram to many block lists and end up triggering conserve. I’ll probably add the feed in and see where my stats go. My current:
diagnose hardware sysinfo conserve
memory conserve mode: off
total RAM: 1866 MB
memory used: 1105 MB 59% of total RAM
memory freeable: 238 MB 12% of total RAM
memory used + freeable threshold extreme: 1772 MB 95% of total RAM
memory used threshold red: 1642 MB 88% of total RAM
memory used threshold green: 1530 MB 82% of total RAM
If you have an active license, as u/HappyVlane says, you can use ISDB objects for this purpose. I use these here, which reduce the «noise» (bruteforce, scans, …) in the logs by almost 100%:
Amazon-AWS
CDN77-CDN
Censys-Scanner
DigitalOcean-DigitalOcean.Platform
Hetzner-Hetzner.Hosting.Service
Hosting-Bulletproof.Hosting
Malicious-Malicious.Server
Microsoft-Azure
OVHcloud-OVHcloud
Shodan-Scanner
Tor-Exit.Node
VPN-Anonymous.VPN
Try using ISDB entries in whatever you use to block the connections.
Threat lists are great. I use the Talos one. But I haven’t found one for vpn providers yet.
ISDB is the way in addition to a reputation policy of 3 on any VIPs. Also make sure you have set match-vip enable or you won’t match on the ISDB and IPv4 lists. The reputation setting should be on your final allow policy for the traffic.
I often protect a SSLVPN by configuring it as a loopback interface, configure a GeoBlocking policy, then ISDB, then any custom block lists. On the fourth policy which should be the SSLVPN allow, add the reputation setting:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IP-reputation-in-policies-and-fallthrough/ta-p/193898
https://yurisk.info/2023/03/21/fortigate-vpn-ssl-hardening-guide/
I have those in my ISDB blocking currently. It’s been pretty quiet, just this past week I’ve got a ton and expressvpn seems to be the common.
The Talos one doesn’t work anymore by the way, unless you have a way to automate getting past the ToC page.
i’m doing this already; the expressvpn’s are getting them past the geo.
Damn, I didn’t know that. Thank you
Do you have set match-vip enable on your policies and is your SSLVPN terminating on a loopback interface? If you aren’t doing that, very difficult to filter effectively.
config firewall policy
edit 314
set name "Deny-In-SSLVPNLoop1-Services"
set srcintf "WAN"
set dstintf "loop1"
set dstaddr "sslvpnloop"
set internet-service-src enable
set internet-service-src-name "Akamai-CDN" "Amazon-AWS" "Botnet-C&C.Server" "Fastly-CDN" "Google-Google.Cloud" "Malicious-Malicious.Server" "Microsoft-Azure" "Phishing-Phishing.Server" "Proxy-Proxy.Server" "Tor-Exit.Node" "Tor-Relay.Node" "VPN-Anonymous.VPN" "BinaryEdge-Scanner" "Censys-Scanner" "CriminalIP-Scanner" "Cyber.Casa-Scanner" "Internet.Census.Group-Scanner" "InterneTTL-Scanner" "LeakIX-Scanner" "NetScout-Scanner" "Recyber-Scanner" "Shadowserver-Scanner" "Shodan-Scanner" "Stretchoid-Scanner" "Tenable-Tenable.io.Cloud.Scanner" "UK.NCSC-Scanner" "8X8-8X8.Cloud" "Akamai-Linode.Cloud" "Alibaba-Alibaba.Cloud" "Amazon-AWS.Cloud9" "Amazon-AWS.CloudFront" "Amazon-AWS.GovCloud.US" "Atlassian-Atlassian.Cloud" "Cato-Cato.Cloud" "Cisco-Meraki.Cloud" "Cloud4Wi-Other" "Elastic-Elastic.Cloud" "Extreme-Extreme.Cloud" "Gigas-Gigas.Cloud" "Imperva-Imperva.Cloud.WAF" "Ingenuity-Ingenuity.Cloud.Service" "Jamf-Jamf.Cloud" "Netskope-Netskope.Cloud" "OVHcloud-OVHcloud" "Performive-Performive.Cloud" "Qualys-Qualys.Cloud.Platform" "RedShield-RedShield.Cloud" "SentinelOne-SentinelOne.Cloud" "VadeSecure-VadeSecure.Cloud" "Veritas-Enterprise.Vault.Cloud" "Zscaler-Zscaler.Cloud" "Google-Google.Bot" "ColoCrossing-ColoCrossing.Hosting.Service" "DigitalOcean-DigitalOcean.Platform" "GTHost-Dedicated.Instant.Servers" "Hetzner-Hetzner.Hosting.Service" "Hosting-Bulletproof.Hosting" "Hurricane.Electric-Hurricane.Electric.Internet.Services" "SERVERD-SERVERD.Hosting.Service" "Stark.Industries-Stark.Industries.Hosting.Service" "Kaspersky-Other" "LaunchDarkly-LaunchDarkly.Platform" "Microsoft-Bing.Bot" "Sendgrid-Sendgrid.Email" "Skyhigh.Security-Secure.Web.Gateway" "Spam-Spamming.Server" "Tencent-Other" "XING-Other" "Yandex-Other" "Zuora-Other" "Alibaba-DingTalk" "Alibaba-Other" "Amazon-AWS.EC2" "Baidu-Other" "Cybozu-Other" "GitHub-GitHub" "GoDaddy-Other" "Kakao-Kakao.Services" "mail.ru-Other" "Microsoft-Azure.Virtual.Desktop" "Neustar-UltraDNS.Probes" "VK-Other" "Voximplant-Voximplant.Platform" "Wetransfer-Other" "Ahrefs-AhrefsBot" "Amazon-Amazon.SES" "Amazon-AWS.API.Gateway" "Amazon-AWS.AppFlow" "Amazon-AWS.Chime.Meetings" "Amazon-AWS.Chime.Voice.Connector" "Amazon-AWS.CodeBuild" "Amazon-AWS.Connect" "Amazon-AWS.DynamoDB" "Amazon-AWS.EBS" "Amazon-AWS.Global.Accelerator" "Amazon-AWS.Kinesis.Video.Streams" "Amazon-AWS.Route53" "Amazon-AWS.S3" "Amazon-Other" "Google-Other" "Hadrian-Scanner" "Microsoft-Azure.AD" "Microsoft-Azure.Arc.Infrastructure" "Microsoft-Azure.ATP" "Microsoft-Azure.Connectors" "Microsoft-Azure.Data.Factory" "Microsoft-Azure.Front.Door" "Microsoft-Azure.KeyVault" "Microsoft-Azure.Microsoft.Defender" "Microsoft-Azure.Monitor" "Microsoft-Azure.Power.BI" "Microsoft-Azure.Resource.Manager" "Microsoft-Azure.Service.Bus" "Microsoft-Azure.SQL" "Microsoft-Azure.Storage" "Microsoft-Azure.Traffic.Manager" "Microsoft-Azure.Windows.Admin.Center" "Microsoft-Other"
set match-vip enable
set schedule "always"
set service "ALL"
set logtraffic all
set comments "Deny Hostile Networks"
next
end
i’m on 7.2.10 so i don’t need to have it expressly enabled; that’s enabled by default since 7.2.3.
unless i’m reading this wrong…
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-VIP-traffic-not-matching-the-firewall-policy/ta-p/266101
I did see that i already have tor-exit and tor-relay so i guess my point of having a tor feed was pointless.
Yes, but when I went back and looked it wasn’t consistent across my policies due to some of them being created in the 6.4.x days. I’d verify via the CLI for the impacted policies to be safe. We use Splunk so I was able to watch the impact on my policies in real-time. For the ones that didn’t have this enabled, setting it to enable made a drastic difference.
i just realized for my isdb blocking to the ssl loopback, i shouldn’t be allowing any of those defined isdb’s, except for maybe starlink’s. none of my inbound vpn traffic should be from any of those, ever. i think i’ll run a week or so with that before i start thinking of that full VPN provider block.
I went back and reviewed the ISDB blocking and it’s getting hits so it looks like post 7.2.3 you don’t need to explicitly match-vip enable