This recipe acts as an introduction to increasing the security of your FortiMail unit by providing you a basic checklist of techniques you can employ to harden your security.
- Be sure to install your FortiMail unit in a secure location, such as a locked room with restricted access. Prohibiting access to your unit increases the security of the device, since unauthorized users could potentially disrupt your entire network through both unintentional and intentional interventions.
- Always remember to upgrade your firmware to the latest version
- Avoid generic administrator account names such as “admin”. If an attacker guesses your admin name they will only need to guess your password.
- Do not allow administration access on the external interface. Use internal access methods such as IPsec VPN or SSL VPN. If you have to use remote access, only allow HTTPS and SSH and be sure to use secure access methods.
- Be sure to establish trusted hosts for administrators to limit what computers administrators can use to access the unit. Identifying a trusted house forces the unit to only accept the administrator’s login from the configured IP address or subnet.
- Change the default administrator pot to a non-standard port.
- Register with support services to activate the warranty on your device.
- To avoid the possibility of an administrator walking away from the management computer and leaving it exposed, you can add an automatic idle time-out. If the web-based manager is not used for a specified amount of time, the unit automatically logs the administrator out.
- Enable automatic clock synchronization to facilitate auditing and consistency between expiry dates used in expiration of certificates and security protocols.
- Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if “p4ssw0rd” is used as a password, it can be cracked. Create a safer password policy that administrators must follow to facilitate a safer connection.
- Set a lockout duration for when someone enters an incorrect password a specified number of times.
Latest posts by Mike Mielke (see all)