Search Results for: syspeace

Syspeace vs Cyberarms

Syspeace vs Cyberarms – Bruteforce prevention for Windows Servers

IT konsult backuper, It konsult säkerhet, IT konsult syspeace, IT konsult återstartsplaner, It konsult Active DirectoryA few years back I had an idea about a Host Intrusion Prevention System for Windows servers. I did try to write a proof of concept myself and I did have a pretty good idea of how it should work and what mistakes to avoid. I ran into a Swedish development company by coincidence and I told them about my idea, showed them som proofs of concepts and we decided to create this product together and that’s what eventually became Syspeace.

We had a perfectly fine collaboration for a few years but sad to say I’m no longer associated with Syspeace. In short , after an intial contract for 3 years  for a certain percentage of gross sales , they suddenly decided that I wouldn’t get any money whatsoever for any sales of Syspeace after that. Simple as that. Yay me. Not really what I had in mind when presenting the idea and putting that work into it and still, stupidly enough , I kind of was under the impression that we’d continue the same way as the first contract was written, both practically and in spirit.. Yep. Admittedly bitter about it. I loved the idea, I love the product (although there are improvemens that need to be made in my humble opinion. The idea is even good enough to actually bring some revenue and if we would’ve stayed on terms, I would’ve been perfectly fine. Still, lesson learned. Don’t be so trusting.

Anyaway, this post isn’t about that really. Not getting into how I feel about that but I’m sure you can imagine. There’s another post that kind of relates to that here and my view on a product such as Syspeace.

Anyway, a German competitor called Cyberarms with their product IDDS did however actually manage to release their product just a couple of months prior to us. Our product was still in a testing phase at the time. Out of loyalty and so on, of course I stuck to using Syspeace but there were always a few things that bothered me.
For instance, when running SSL on RDP connections, the eventid 4625 in the Windows Securitylog didn’t record the source IPaddress, thus making it impossible for Syspeace to block anything. Using SSL on RDP connections and so on makes stuff fareasier if you’re hosting Terminal Servers (Remotdesktop Servers and RemoteApp servers) in regards to network security, error messages to clients and so on. It just helps you out a lot having valid SSL certificates.

Syspeace worked perfectly fine for blocking attacks when the source IP address was recorded but otherwise not.
There are a few workarounds and I have written about them earlier but none of them are really good and there are pros and cons to them. This lack of functionality (meaning Syspeace not blocking all attempts but merely the ones containing the source IP address) was always a big problem and it was intended to be fixed but they never really got around to doing so.
I’m sure they will but it has taken a long time though.

As of December 2016, Cyberarms decided to release their software as Open Source (my understanding is that they couldn’t find new investors for continuing but I don’t know really ) so of course I got curious and decided to take it for a spin.

The blocking works fine. It blocks IP addresses with their SSL/TLS agent perfectly fine and it’s free to use so why not use it?

Well. A few things to consider here though and you really might want to think about them before implementing Cyberarms IDDS on larger scale.

Syspeace vs Cyberarms

First of all , the notification email you get from Cyberarms contains far too little information for it to be useful in a datacenter environment or at a Cloud Service provider. If you’re simplt protecting your PC at home, sure but if your’re mmanaginfg a larger server environment it will become a nightmare.

If you get an email simply saying “The IP address has been locked” and you get a few hundred of those, it’s not very useful to you as a sysadmin I’m afraid.

You need to quickly be able to see Geopgraphical information and the login name used in order to know whether it’s an actual attempt to use valid usernames and access data or if it’s just an automated “background noice attack”. With that said, do not underestimate those background nice attacks since they do use up resources like CPU and RAM on your servers. They can also be an attempt to hide other kinds of hacking attacks simply by “hiding in the noice”.

Another thing that Cyberarms lacks is an automatic “Reset on success” feature which in essence means that if you have a customer connecting to your services from behind a firewall and someone at the customer side mistypes their password, the IP address will be blocked. Works as designed in both Cyberarms and Syspeace.

In Syspeace though , there is a default mechanism for also keeping track of succesful logins and with some builtin logic, actuallynot banning the IP address if someone else succeeds with their login attempt from behind that same firewall. The toought behind it is of course to minimize false positives and hopefully not blocking your customers from your services. It’s not foolproof but it works well enough.

In Sypeace, the rules you can set are also more flexible including parameters such as a time window. This is very useful for you to catch “slow grinding” attempts meaning hackers that want to stay under the radar for products such as Syspeace and Cyberarms.

Cyberarms does not have access reports built in to it like it’s built into Sysepace which from time to time can be very useful for a sysadmin.

When you starting up Cybrarms intiially, no agents are activated by default so there’s more of a “how-to” tip for you.

Cyberarms doesn’t not support Windows Server 2003, while Syspeace does.

Syspeace does have an unfortunate built in flaw at the moment making it’s database grow above it’s limit of 4 GB in some scenarios but I’m sure that will be sorted too.
Whether Syspeace (or Cyberarms for that matter) would work on Nano installations and GUIless servers is another quiestion. My guess is that they bort need to be rewritten. None of them support a central managemant interface wich would be nice to have so you don’t have to RDP yourself to each server to make changes. I’m sutre there will be such a feature in either on of them though.

Still, Cyberarms does a good job at finding attacks and here’s how I’ve started using the two in conjunction.

In all honesty, my dream scenario would have been for the two to join forces, getting the best from each product and build a great product together. In fact, I’m sure an even greater product can be built for these things and and adjacent things  so if anyone’s up a for it, I’m game.I have quite a few ideas for new functionality and features for such a product already..or who knows,I might even end up being a part of the Syspeace team again.

Since IDDS is now Open Source I guess I could sit down and amp it up with the features I want to have in it but truth told, I’m not a good developer really. I have ideas and I know how it should work but getting to the actual coding would just take to much time for me.

Anyway … Here’s how I’m using both of them at the same time for now anyway
I have the set the block rules higher in Cyberarms than in Syspeace, therefore giving Syspeace the chance to do the initial blocking and getting better emails sent to me.

Below is an example of an email alert sent by Syspeace.

Blocked address (SERVER-C7BF2B28) [Pakistan] 2017-02-20 10:10:00 Rule used:
Type of block: Windows login
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 04:00:00
Previous observations of this IP address:
2017-02-20 06:09:59 *****\administrator
2017-02-20 06:09:57 *****\administrator
2017-02-20 06:09:55 *****\administrator
2017-02-20 06:09:52 *****\administrator
2017-02-20 06:09:50 *****\administrator

I’ve set Cyberarms to block after a higher number of intrusion attempts than Syspeace , getting it to catch those SSL/TLS

attacks since Syspeace can’t handle them at the moment.

Below is an example of the alert sent from Cyberarms.
Client with IP address was hard locked

As you can see, the Cyberarms email doesn’t really provide me with any useful information as a sysadmin meaning for me to actually deal with it, I need to manually find out from where the attack originated, what username was used in order to decide whether it’s serious or not. Of course I could probably write something in .Net utilizing the Cyberarms logfile to get better notifications with more information but that shlould be built into the software really looking more like the Syspeace alerts.

The Syspeace notification isn’t prefect either but it is far better. I would also like to see what port was targeted and what process was targeted, i.e the running .exe.
That would be a quicker way for me as a Sysadmin to determine what’s really going on.

They both have Daily Reports and Weekly Reports so I thought I’d also incklude one of each from the same server and the same time window. I think you’ll noticed the difference and ralize why the SSL/TLS functionality is so crucial to have in place

Syspeace Report for week 2017-02-13 – 2017-02-19

— All Week ——

IP address Times Host name and country
——————– —– ——————————- 1 XS2323677157; United States (US) 1; United States (US) 6; United States (US) 1; United States (US) 1; Germany (DE) 1; United States (US) 1 ; Italy (IT) 1 ; China (CN) 1 ; Iran, Islamic Republic of (IR) 2; Brazil (BR) 1; Russian Federation (RU) 1 ; China (CN) 1 ; Thailand (TH) 1; Russian Federation (RU) 1; Germany (DE) 1 ; China (CN) 1; China (CN)

//  I Have removed the hourly breakdown opart from this report here //

Generated 2017-02-20 00:04:58 for machine ***.****.** by Syspeace v2.5.2.0


Cyberarms Weekly Report
Week of 2017-2-13
Installation Information
Server: ****
Events per Agent
Agent name Intrusion attempts Soft locks Hard locks
TLS/SSL Security Agent 1238 215 82
Windows Base Security Agent 133 0 1
Total 1371 215 83
Intrusion attempts by IP address
Client IP Intrusion attempts 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 6 6 6 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 10 10 10 11 11 12 12 12 13 13 14 14 14 17 17 17 18 18 18 18 19 21 23 54
Total 1371
Soft locks by IP address
Client IP Soft locks 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 3 3 4 4 4 4 4 12
Total 215
Hard locks by IP address
Client IP Hard locks 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 6
Total 83
To configure reporting options, please use the IDDS administration software on your server.

With that said, I would recommend people using both of them in order to minimize brute force and dictionary attacks against Windows servers.

Should you need assistance or have questions, please feel free to contact me here

Syspeace crashes / not starting due to database growth over 4 GB

Syspeace crashes / not starting due to database over 4 GB

Syspeace is a brute force prevention software for Windows Servers, Exchange Servers, RDS and more.

One issue with the current version of Syspeace is the scenario where the Syspeace GUI can’t be started and Syspeace crashes due to it’s database growing too large and here is why.

When the database called SCDB1.sdf (located in the Syspeace installation directory) grows above its built in limit of 4 GB, Syspeace stops working and the GUI can’t be started, nor does Syspeace block any new brute force attacks.
This is due to a limitations of database groxth and the way Syspeace stores entries within the database in the current version (2.5.2).

Here is a (blurry) picture of the error message. It’s basically a .Net error message saying that the database has grown larger than its built in limitation.

syspeace crashes database 4 gb

Solution / Workaround

The easiest way to workaround this limitation is to stop the Syspeace service and simply delete the database and set up your rules and settings again. This will mean setting up your whitelists, entering licensnumber, rules and so on.

Preparing for this scenario

It is easy to be prepared for this though. Simply export all of the Syspeace settings using the Syspeace GUI ( Export settings/ and click the “Check all” in the top right ) and keep the DefaultSettings.syspeaceSettings in the Syspeace installation folder. Remember to do this every time you apply changes to your settings.
This will ease the workaround-fix from the aspect that you only need to stop the Syspeace service,delete the database that and then restart Syspeace thus having it automatically import all of your settings.

There is also the advantage of being able to distribue the DefaultSettings.syspeaceSettings-file to other servers in case you have multiple installations or you’re planning on expanding your Syspeace usage.

Simply install Syspeace on the next server, copy the DefaultSettings.syspeaceSettings to the installation directory and your configuration is set to the same parameters as the first one, including whitelists, license number, email settings and so on.

By Juha Jurvanen

Riktad lösenordsattack från Kina stoppad av Syspeace

Riktad lösenordsattack från Kina

konsult inom backup It säkerhet molntjänster återsartsplaner för IT lösenordsattack

Igår kväll började det plinga i min mail, inget ovanligt i sig eftersom jag övervakar och driftar ganska många servrar, men den här gången var det ett väldigt plingande under kort tid.

Det visar sig att några IP intervall från Kina hade bestämt sig för att utföra en större riktad lösenordsattack mot en server jag driftar i en molntjänst åt kund.

Anledningen till att jag skriver det här är just för att visa att det förekommer attacker precis hela tiden varav de flest är några enstaka försök medans andra är uppenbart riktade och någon verkligen vill ta sig in.
Oavsett storleken på attacken och hur många olika IP adresser hackern försöker döljsa sig bakom så blockeras det ändå effektivt och automatiskt av Syspeace.
Principen bakom Syspeace är enkel.

Om en IP adress misslyckas med att logga in X antal gånger under Y lång tid så blockeras den IP adress från all kommunikation under Z lång tid.

Som ett fail2ban for Windows eller denyhosts for Windows men med mer funktionalitet, stöd för fler detektorer och system och god rapportering o.s.v


De flesta attacker kommer onekligen från en specifik IP adress men även den här typen av större och uppenbart riktade attacker förekommer alltså också.
Man lever ofta i tron att små företag är ointressanta för hackers att försöka ta sig in i men tyvärr är det helt fel vilket jag tror att nedanstående logg från Syspeace visar väldigt tydligt.

De allra flesta intrångsförösk under gårdagen var alltså från just Kina , spridda över många olika IP adresser och intervall vilket tyder på en hacker med resurser och målmedvetenhet.
Utan Syspeace hade jag som tekniker / driftsansavrig inte haft en aning om att det ens pågick och än mindre något skydd mot det.
Att manuellt blockera varje enskild adress är såklart orimligt och att veta i förväg varifrån ett intrångsförösk kommer går ju sklart inte heller.

Utan effektivt skydd hade varje IP adress som attackerade kunnat gå igenom en hel ordboksattack och försökt gissa sig till ett användarnamn och lösenord dvs från ett hundratal IP adresser kunder det skickats iväg 10 000- 20 000 inlognningsförsök mot serven vilket i sin tur effektivt hade tagit väldigt mycket resurser i anspråk för servern (i näst värsta fall hade det lett till en Denial of Service) och naturligvis risken att de hade lyckats ta sig in.

Attacken upphörde för övrigt då jag antar de insåg det fanns en IDS på plats för att hantera det.

Rapport från Syspeace efter attacken

Nedan är rapprten som genererades av Syspeace.

Från: *******@*****.se
Datum:2015-07-10 00:05 (GMT+01:00)
Till: “******* @ *****” < *******@******.se>
Rubrik: Daily Syspeace report (*******.******.se, 2015-07-09)
Report for 2015-07-09

IP address Times Host name and country
——————– —– ——————————- 3; Italy (IT) 2 ; China (CN) 1; Sweden (SE) 1 VPS41074; Germany (DE) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1; Mexico (MX) 5; Colombia (CO) 1; Brazil (BR) 1 ; Singapore (SG) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN)

Hourly breakdown (blocks per hour)
00 x2
01 x1
02 x1
04 x2
06 x1
07 x1
08 x1
11 x1
13 x1
16 x1
19 x1
20 x1
21 x1
22 x69

Generated 2015-07-10 00:04:54 for machine *******.*******.se by Syspeace v2.5.2.0

Vill ni ha hjälp med att sätta upp ett effektivt intrångsskydd på era Windows servrar?, kontakta mig här