My Fortinet 60E security system has protected my web server and web sites for many years.  I added a 221-C and 231-F WAP to our home network.    FortiOS work across all Fortinet devices.    The security system is configured for IPv4 and IPv6.    I have many devices configured for both IPv4 and IPv6. 

 

 

This is the policy route that allows access to the cable routers on WAN1 and WAN2 of the Fortinet 60E.

Security is a journey not a destination.

Cyber Patriot

What Is CyberPatriot?

CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future. At the core of the program is the National Youth Cyber Defense Competition, the nation’s largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks. Other programs include AFA CyberCamps, an elementary school cyber education initiative, a children’s literature series, and CyberGenerations –a cyber safety initiative geared toward keeping citizens over 62 safe online

Hardening the Fortinet

I have been working on the Security Fabric -Security Rating area.  It covers all aspects of hardening down your Fortinet.  

1.) Setup the Wireless Access Points to be outward facing.  They can’t access the internal network.
2.) I moved the TV and other AV components to a separate subnet and interface and made it outward facing only.
3.) Interfaces:  Remove everything including ping from WAN1 and WAN2.  This will prevent anyone from the outside access to the admin console.
4.) Removing unused policies and created new policy groups based on interfaces.
5.) Setting up IPv6 policies.

Only allow HTTPS and SSH on the other interfaces.  System – Settings: Choose redirect to https.
6.) System – Settings: Change the https port to something other than 443.
7.) Fortinet has 2FA on administrator users
8.) SSH 2FA on all Ubuntu servers
9.) Configuring IPV6 on all interfaces and WAP SSIDs

Web Application Firewall

Every PHP code hardening page includes using a WAF: Web Application Firewall.  This is on the Fortinet 60E.  SQL Injection is blocked at the Fortinet 60E.  This is the default setup.  I have changed it.

I found issues with Web Application Firewall in Fortinet.  They stopped developing parts of it.

/etc/apache2/apache.conf

ServerSignature Off
ServerTokens Prod

Restart Apache2 or reboot server

In the php.ini  (In all versions under cli , fpm, etc.)

expose_php = off

This hides ‘X-Powered-By:  and PHP Version

/etc/php and go to the current version you are running. 

Certificate

Below this area is how I generate my 5 name certificate.  Main name is the CN.  DNS.x are your other names.   You copy the entire block and run it on your linux server.  It generates your key file, 5Cert.key and you certificate CSR, 5Cert.csr.

openssl -req -new -sha256 -nodes -out \5Cert.csr -newkey rsa:2048 -keyout \5Cert.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=State
L=City
O=Organization
OU=
emailAddress=
CN = www.domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =
DNS.2 =
DNS.3 =
DNS.4 =
EOF

On Fortigate CLI

Configure Fortigate unit to use the newly imported certificate HTTPS admin access.

# config sys global
# set admin-server-cert
# end

#config firewall policy
#edit
#set auth-cert
#set auth-redirect-addr “FGT.example.com”
#end

#config user setting
#set auth-cert
#set auth-secure-http enable
#end

Security Profiles

Installing phpMyAdmin was the best tool I installed for creating databases and running scripts.  To protect it, I moved it to its own port. phpMyAdmin made doing this project possible with a GUI package to see the data in the tables and work on them. 

phpMyAdmin Download page