Fortinet 60E hardening

Security is a journey not a destination

My websites and internet connections have been under attack.  I worked with Fortinet on implementing changes to my 60E firewall.  I also made changes to the WordPress sites following various guidelines.

Cyber Patriot

What Is CyberPatriot?

​CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future. ​At the core of the program is the National Youth Cyber Defense Competition, the nation’s largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks. Other programs include AFA CyberCamps, an elementary school cyber education initiative, a children’s literature series, and CyberGenerations –a cyber safety initiative geared toward keeping senior citizens safe online

Hardening the Fortinet

1.) Interfaces:  Remove everything except ping from WAN1 and WAN2.  This will prevent anyone from the outside access to the admin console. 

Only allow HTTPS and SSH on the other interfaces. 

System – Settings: Choose redirect to https. 

2.) System – Settings: Change the https port to something other than 443. 

Web Application Firewall

Every PHP code hardening page includes using a WAF: Web Application Firewall.  This is on the Fortinet 60E.  SQL Injection is blocked at the Fortinet 60E.  This is the default setup.  I have changed it.

Certificate

 3.) Purchase a 3rd party certificate for the admin.  

Install it as a  certificate with the key from them.  

Under System – Settings: HTTPS server certificate: choose it.

Below this area is how I generate my 5 name certificate.  Main name is the CN.  DNS.x are your other names.   You copy the entire block and run it on your linux server.  It generates your key file, 5Cert.key and you certificate CSR, 5Cert.csr.

openssl -req -new -sha256 -nodes -out \5Cert.csr -newkey rsa:2048 -keyout \5Cert.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=State
L=City
O=Organization
OU=
emailAddress=
CN = www.domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =
DNS.2 =
DNS.3 =
DNS.4 =
EOF

On Fortigate CLI

Configure Fortigate unit to use the newly imported certificate HTTPS admin access.

# config sys global
# set admin-server-cert
# end

#config firewall policy
#edit
#set auth-cert
#set auth-redirect-addr “FGT.example.com”
#end

#config user setting
#set auth-cert
#set auth-secure-http enable
#end

Security Profiles

Intrusion Prevention

Below is a picture of the high security setup for my firewall.  As you see from my database results, I get a lot of attacks.  I recently enabled quarantine for severity 2 to 5.  

Fortinet 60E database parsing project

I am finding it amazing the attacks on my two Ubuntu WordPress servers.   I setup Geofencing for several countries due to the number of attacks.   I enabled DoS and IPS.   

I created a MariaDB Database for the Fortinet.   Installing phpMyAdmin was the best tool I installed for creating databases and running scripts.  To protect it, I moved it to its own port.  I have various tables in it for Geofencing, IPS, and DoS.  phpMyAdmin made doing this project possible with a GUI package to see the data in the tables and work on them. 

phpMyAdmin Download page

I created users that have select and select, insert to the database only.   I logged into MariaDB and verified what databases they could see and access.   I added in web filtering for every WordPress site to block access to wp-admin.   I worked with Fortinet engineers to harden down other aspects of the Fortinet 60E security for the WordPress sites.  

I wrote scripts in linux to parse out each daily Syslog-NG file and setup the shell file to run in CRON.Daily on the Syslog server.   On the web server with the databases, I setup a shell file for the SCP copy commands.   I placed a public key of this server on Syslog,  SCP will work without a password and is secured. 

The final phase of this project was taking the php files I wrote using LOAD DATA LOCAL INLINE command and placing it into CRON.Daily on the database server.    The files are written with variables to choose the previous day.   I created views inside the database to make showing the data simpler and easier.  I installed iframe from webvitaly to do the shortcuts for the web page inserts for the database results.    I created a script to delete the entries that are older than 7 days. 

The SQL calls in the php pages were made simpler by creating Views in phpMyAdmin and using them instead of trying to use a very complex query with unions.  

 I changed the phpmyadmin server console to https.   I read a great book on proper rules for php coding.   I added include statements and moved the actual files to a secured location.

UDP_Flood is part of IPv4 DoS Policy that is applied to each of the two WAN ports.  I was getting many udp_flood attacks in DoS in the 70,000-90,000 on pass.  I set it to block and cut it down to under 1000.  I have seen a few upd_flood IPS attacks that I have set to block.  When it was on pass, it was 70,000-80,000 instead of 132 and blocked.   It has really gone up in daily udp_flood attacks in recent days. 

I set the table to only display last 10 days.   The monthly totals will go back 12 months and I added yearly totals back 10 years.  

I am celebrating my 1 year anniversary of collecting firewall data

This is the Geofencing results from 8.1.2019.   Geofencing blocks by country name.  I guess the Russian Federation is a bit busy.  I set the table to only display last 10 days.   The monthly totals will go back 12 months and I added yearly totals back 10 years.   The font size allows it to work on mobile devices too. 

We changed the Geofencing policy from only the two web servers running WordPress to all ports.  WOW! Russian Federation on 2/2/2020

 

Total  RF  China  Ukr.  Viet.  Est.  Rom.
02/02/2020  
40479    39322  0811  0058  0090  0046  0152

 Current and Previous 10 Daily Totals
Total  RF  China  Ukr.  Viet.  Est.  Rom.
07/23/2020  
18778    14936  3033  0116  0156  0010  0527

07/22/2020  
28710    25074  2848  0132  0146  0017  0493

07/21/2020  
20588    17106  2703  0112  0147  0012  0508

I will be adding new Attack IDs as they appear.  

The table above is severity levels 1 to 5.

1 Any : is nothing really
2 Low
3 Medium
4 High
5 Critical is OMG! We are under attack

Intrusion Prevention database results. 

The font size allows it to work on mobile devices too.