IT drift och IT sÀkerhet

Att sÀtta upp ett SPF record för att minska SPAM och bedrÀgerier

Vad Àr ett SPF record och hur kan det minska SPAM ?

JufCorp AB hjÀlper företag och föreningar med frÄgor inom backup / restore , Disaster Recovery, IT sÀkerhet, molntjÀnster och Syspeace SPF recordI princip fungerar SPF record  sÄ att nÀr ni skickar ett mejl sÄ kontrollerar den mottagande mejlservern huruvida mejladressen eller rÀttare sagt den mejldomÀn ni skickar frÄn, i mitt fall alltsÄ @jufcorp.com, verkligen fÄr komma frÄn den IP adressen den ska.

Ett inte ovanligt problem i vÀrlden Àr att det Àr vÀldigt, vÀldigt lÀtt att utge sig för att skicka ett mejl som nÄgon annan.
Det finna massvis med hemsidor som beskriver hur det gÄr till och de anvÀnder s.k. Open Relay servrar ute pÄ nÀtet och helt enkelt utger sig för att vara dig. Det stÄr alltsÄ era mejladresser som avsÀndare.

En varningsklocka för att det hÀnder er kan vara t.ex. att det helt plötsligt börjar trilla in en massa mejl med felmeddelanden om att mejl inte gick att leverera och ni vet att ni inte skickat dem.
Om man granskar mejlhuvudet lite nÀrmare sÄ inser man att nÄgon har anvÀnt era mejladresser som avsÀndare men IP adressen dÀr mejlet har skickats frÄn (d.v.s mejlservern) Àr nÄgot helt annat Àn den ni anvÀnder.

Ett problem som kan dyka upp nÀr sÄnt hÀnder Àr att t.ex. er ISP tycker att det har skickats alldeles för mÄnga konstiga mejl med domÀn som avsÀndare och bestÀmmer sig för att helt sonika stÀnga av er frÄn att mejla ut överhuvudtaget.

Att sÀtta upp ett SPF record för att undvika s.k. spoofade adresser och minska mÀngden SPAM och bedrÀgerier Àr oftast en bra idé alltsÄ.

NÀr en mottagande mejlserver fÄr ett mejl sÄ kontrollerar den huruvida avsÀndardomÀnen verkligen kommer frÄn den mejlserver som Àr ansvarig för mejl genom att kontrollera SPF record.
Om det inte gör det sÄ skickas ett felsvar tillbaka och mejlet tas helt enkelt inte emot (OBS , alla mejlservrar Àr inte instÀllda pÄ att kontrollera det hÀr, det Àr upp till serveradministratören att sÀtta upp kontrollen).

Det hÀr Àr dock ÀndÄ en finurlig mekanism som minskar mÀngden SPAM och att folk skickar mejl i ert namn (det kan ju som sagt vara rena bedrÀgerier det handlar om)

Att sÀtta upp SPF record och saker att tÀnka pÄ

SPF record sÀtts upp i din publika DNS servern d.v.s den Àr en del av din DNS domÀn som finns publikt tillgÀnglig.
Det Àr ett s.k TXT record och kan se ut sÄ hÀr

“v=spf1 mx a ip4:164.40.177.83 a:ch-p-mailout01.sth.basefarm.net”

I det hÀr fallet sÄ betyder det att alla servrar som Àr uppsatta som MX pekare (dvs mejlservrar) för den hÀr domÀnen fÄr mejla i domÀnens namn.
Den har Ă€ven tillĂ€gget att IP adress “164.40.177.83” samt hostname “ch-p-mailout01.sth.basefarm.net” ocksĂ„ fĂ„r skicka mejl med den hĂ€r domĂ€nen som avsĂ€ndare.

De flesta ISPr tillÄter inte att man skickar ut mejltrafik pÄ port 25 direkt utan man mÄste anvÀnda deras relay servrar . Anledning torde vara att minska mÀngden SPAM frÄn datorer med virus, hackers o.s.v. Port 25 Àr helt enkelt lÄst om den inte gÄr via ISPns relay servrar

Jag anvÀnder Com Hem som leverantör och de i sin tur anvÀnder sig av Basefarm.
För att mejla ut frĂ„n Com Hem sĂ„ anger man next hop server (d.v.s relay server ) “mailout.comhem.se” som egentligen bara Ă€r ett alias för “smtp.comhem.basefarm.net” med IP adress “164.40.177.47”.

Det som hĂ€nder efter det Ă€r att Basefarm i sin tur skickar den hĂ€r trafiken vidare till ytterligare en server dvs till “ch-p-mailout01.sth.basefarm.net” med IP adress “164.40.177.83” och det Ă€r den adressen som kommer att synas för den mottagande mejlservern.

AlltsÄ, nÀr man sÀtter upp ett SPF record mÄste man ha koll pÄ hur kedjan ser ut d.v.s vilken IP adress kommer mottagande mejlserver att se som avsÀndande mejlserver.
TÀnk pÄ att det kan vara en pool av IP adresser det handlar om (för redundans t.ex. )

Mm ni sitter pÄ t.ex. Com Hems nÀt sÄ Àr det ovanstÄende saker som ska in i DNS medans t.ex Telia och TDC och andra har andra IP adresser. Enklast Àr att ringa dem och frÄga vilken IP adress som Àr den sista i kedjan för utgÄende SMTP.

Ytterligare en sak att tÀnka pÄ kan vara att om ni har t.ex. ett webbformulÀr nÄnstans som mejlar saker till er (t.ex. ett kontaktformulÀr) sÄ mÄste den IP adressen eller hostname ocksÄ vara tillÄten att skicka mejl eller ni mÄste Àndra avsÀndande mejldomÀn till nÄgot annat.

Kontrollera att ert SPF record fungerar

Ett sÀtt att kontrollera om ditt SPF record Àr korrekt uppsatt eller om ni ens har Àr t.ex. att surfa till http://www.kitterman.com/spf/validate.html och skriva in ert domÀnnamn.
Den hÀr kontrollen kan dock inte veta vad som Àr den sista i kedjan utan slÄr bara upp huruvida det finns ett SPF record och om det ser korrekt ut vad gÀller syntaxen.
Ni kan ocksÄ testa hur det fungerar med raderna lÀngst ner i formulÀret genom att ange rÀtt IP adress och fel IP adress som avÀsandande mailserver för att se hur en mottagande mailserver skulle reagera.

Vill ni ha hjÀlp med dessa frÄgor eller andra inom mina omrÄden sÄ vÀlkommen att kontakta mig hÀr

PÄgÄende massiv #bruteforce attack mot primÀrt Windows server system frÄn #USA

JufCorp AB hjÀlper företag och föreningar med frÄgor inom backup / restore , Disaster Recovery, IT sÀkerhet, molntjÀnster och Syspeace

PÄgÄende massiv #bruteforce attack mot primÀrt Windows server system frÄn #USA

 

Som kuriosa tÀnkte jag nÀmna en massiv s.k. Brute Force attack / Dictionary attack (pÄ svenska kallad ordboksattack) som pÄgÄr just nu med ursprung i USA och som verkar rikta in sig mot asvenska servrar (ett flertal av mina kunder har drabbats).
Den Àr inte att blanda ihop med den massiva #WannaCrypt attacken som handlar ransomvirus utan Àr en helt annan typ av attack dÀr inkrÀktaren försöker att gissa sig till anvÀndarnamn och lösenord eller bara att överbelasta servrarna med felaktiga inloggningsförsök.

En gemensam nÀmnare i just den hÀr attacken Àr att de anvÀnder sig av inloggningsdomÀnen som inloggningsnamn.
Nedan Ă€r en lista pĂ„ “dagens skörd” av blockerade IP adresser som intrĂ„ngsskydden blockerat pĂ„ en enda servrar mellan midnatt och 13:30 hittills idag .

För att se om ni Àr drabbade, kontrollera Windows Security log.

Om ni Àr drabbade Àr ni naturligtvis vÀlkomna att kontakta mig hÀr för hjÀlp med att hantera attacken eller för att skydda er mot kommande attacker

IP address Times Host name and country
——————– —– ——————————-
5.102.141.94 2 rev-94.141.102.5.tribion.com; Netherlands (NL)
5.103.29.79 2 static-5-103-29-79.fibianet.dk; Denmark (DK)
5.144.158.193 2 ; United Kingdom (GB)
8.3.64.82 2 mail.sharpcnc.com; United States (US)
8.23.71.66 2 BJP2U36T-PC; United States (US)
8.27.164.197 2 ip-8-27-164-197.trucom.com; United States (US)
12.163.187.130 2 ; United States (US)
12.177.217.60 2 ; United States (US)
12.219.206.146 2 ; United States (US)
12.250.27.210 2 ; United States (US)
13.65.24.104 2 ; United States (US)
13.67.181.161 2 ; United States (US)
13.68.88.62 2 ; United States (US)
13.68.92.114 2 ; United States (US)
18.159.7.137 2 koch-six-forty-eight.mit.edu; United States (US)
23.25.213.172 2 23-25-213-172-static.hfc.comcastbusiness.net; United States (US)
23.227.200.187 2 ; United States (US)
24.13.84.17 2 c-24-13-84-17.hsd1.il.comcast.net; United States (US)
24.45.36.135 2 ool-182d2487.dyn.optonline.net; United States (US)
24.47.123.214 2 ool-182f7bd6.dyn.optonline.net; United States (US)
24.136.114.234 2 rrcs-24-136-114-234.nyc.biz.rr.com; United States (US)
24.172.55.54 2 fbiconstruction.com; United States (US)
24.204.55.66 2 mail.jtparkerclaims.com; United States (US)
24.248.203.94 2 wsip-24-248-203-94.ks.ks.cox.net; United States (US)
24.248.223.50 2 wsip-24-248-223-50.ks.ks.cox.net; United States (US)
27.74.243.108 2 tsgw.rcasp.se; Vietnam (VN)
34.192.198.19 2 ec2-34-192-198-19.compute-1.amazonaws.com; United States (US)
37.252.129.11 2 ; Switzerland (CH)
40.71.27.108 2 ; United States (US)
40.76.37.25 2 ; United States (US)
40.86.191.167 2 ; United States (US)
40.135.9.233 2 h233.9.135.40.static.ip.windstream.net; United States (US)
45.17.245.230 2 45-17-245-230.lightspeed.hstntx.sbcglobal.net; United States (US)
45.20.208.49 2 45-20-208-49.lightspeed.rlghnc.sbcglobal.net; United States (US)
45.32.160.56 2 45.32.160.56.vultr.com; United States (US)
45.40.139.116 2 ip-45-40-139-116.ip.secureserver.net; United States (US)
45.63.4.229 2 45.63.4.229.vultr.com; United States (US)
46.231.187.166 2 ; United Kingdom (GB)
47.21.46.106 2 ool-2f152e6a.static.optonline.net; United States (US)
47.23.136.187 2 ool-2f1788bb.static.optonline.net; United States (US)
47.146.183.166 2 ; United States (US)
47.180.64.184 2 static-47-180-64-184.lsan.ca.frontiernet.net; United States (US)
50.47.72.226 2 50-47-72-226.evrt.wa.frontiernet.net; United States (US)
50.73.101.155 2 50-73-101-155-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.16.81 2 50-76-16-81-static.hfc.comcastbusiness.net; United States (US)
50.76.63.221 2 50-76-63-221-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.167.3 2 50-76-167-3-static.hfc.comcastbusiness.net; United States (US)
50.76.202.210 2 50-76-202-210-static.hfc.comcastbusiness.net; United States (US)
50.77.83.137 2 50-77-83-137-static.hfc.comcastbusiness.net; United States (US)
50.77.201.132 2 50-77-201-132-static.hfc.comcastbusiness.net; United States (US)
50.79.7.213 2 50-79-7-213-static.hfc.comcastbusiness.net; United States (US)
50.79.105.34 2 50-79-105-34-static.hfc.comcastbusiness.net; United States (US)
50.192.13.145 2 50-192-13-145-static.hfc.comcastbusiness.net; United States (US)
50.192.141.193 2 50-192-141-193-static.hfc.comcastbusiness.net; United States (US)
50.196.247.193 2 50-196-247-193-static.hfc.comcastbusiness.net; United States (US)
50.197.82.185 2 50-197-82-185-static.hfc.comcastbusiness.net; United States (US)
50.198.160.161 2 50-198-160-161-static.hfc.comcastbusiness.net; United States (US)
50.199.237.34 2 50-199-237-34-static.hfc.comcastbusiness.net; United States (US)
50.203.190.178 2 mail.intermediagroup.org; United States (US)
50.205.10.174 2 50-205-10-174-static.hfc.comcastbusiness.net; United States (US)
50.205.117.51 2 50-205-117-51-static.hfc.comcastbusiness.net; United States (US)
50.233.197.222 2 50-233-197-222-static.hfc.comcastbusiness.net; United States (US)
50.240.252.205 2 50-240-252-205-static.hfc.comcastbusiness.net; United States (US)
50.241.38.49 2 50-241-38-49-static.hfc.comcastbusiness.net; United States (US)
50.243.129.194 2 50-243-129-194-static.hfc.comcastbusiness.net; United States (US)
50.248.123.221 2 50-248-123-221-static.hfc.comcastbusiness.net; United States (US)
50.254.34.165 2 50-254-34-165-static.hfc.comcastbusiness.net; United States (US)
50.254.133.245 2 50-254-133-245-static.hfc.comcastbusiness.net; United States (US)
52.5.139.105 2 ec2-52-5-139-105.compute-1.amazonaws.com; United States (US)
52.6.224.229 2 ec2-52-6-224-229.compute-1.amazonaws.com; United States (US)
52.23.118.225 2 ec2-52-23-118-225.compute-1.amazonaws.com; United States (US)
52.26.151.34 2 ec2-52-26-151-34.us-west-2.compute.amazonaws.com; United States (US)
52.39.168.186 2 ec2-52-39-168-186.us-west-2.compute.amazonaws.com; United States (US)
52.70.19.127 2 ec2-52-70-19-127.compute-1.amazonaws.com; United States (US)
52.73.103.93 2 ec2-52-73-103-93.compute-1.amazonaws.com; United States (US)
52.89.217.62 2 ec2-52-89-217-62.us-west-2.compute.amazonaws.com; United States (US)
52.168.20.3 2 RACESA; United States (US)
52.168.86.1 2 RACESA; United States (US)
52.170.39.1 2 ; United States (US)
52.173.17.163 2 ; United States (US)
52.200.66.163 2 ec2-52-200-66-163.compute-1.amazonaws.com; United States (US)
54.83.47.75 2 ec2-54-83-47-75.compute-1.amazonaws.com; United States (US)
54.86.14.226 2 ec2-54-86-14-226.compute-1.amazonaws.com; United States (US)
54.149.137.41 2 ec2-54-149-137-41.us-west-2.compute.amazonaws.com; United States (US)
54.157.197.20 2 ec2-54-157-197-20.compute-1.amazonaws.com; United States (US)
54.173.247.253 2 ec2-54-173-247-253.compute-1.amazonaws.com; United States (US)
54.243.64.201 2 ec2-54-243-64-201.compute-1.amazonaws.com; United States (US)
64.19.195.138 2 64-19-195-138.c7dc.com; United States (US)
64.40.136.36 2 ; United States (US)
64.60.63.18 2 64-60-63-18.static-ip.telepacific.net; United States (US)
64.61.65.67 2 static-64-61-65-67.isp.broadviewnet.net; United States (US)
64.135.85.4 2 mail.mmpusa.com; United States (US)
64.203.121.118 2 static-64-203-121-118.static; United States (US)
65.25.200.33 2 cpe-65-25-200-33.new.res.rr.com; United States (US)
65.26.224.113 2 cpe-65-26-224-113.wi.res.rr.com; United States (US)
65.35.122.111 2 65-35-122-111.res.bhn.net; United States (US)
65.51.130.102 2 41338266.cst.lightpath.net; United States (US)
65.184.92.138 2 cpe-65-184-92-138.sc.res.rr.com; United States (US)
66.103.3.246 2 ; United States (US)
66.161.214.122 2 cvg-partners.static.fuse.net; United States (US)
66.172.199.188 2 static.longlines.com; United States (US)
66.194.51.146 2 66-194-51-146.static.twtelecom.net; United States (US)
66.199.16.130 2 asg.sbc.net; United States (US)
66.207.228.204 2 vancestmed1.intrstar.net; United States (US)
67.52.39.30 2 rrcs-67-52-39-30.west.biz.rr.com; United States (US)
67.135.195.250 2 67-135-195-250.dia.static.qwest.net; United States (US)
67.136.185.218 2 ; United States (US)
67.177.69.207 2 c-67-177-69-207.hsd1.al.comcast.net; United States (US)
67.182.27.250 2 c-67-182-27-250.hsd1.ca.comcast.net; United States (US)
67.199.46.32 2 ; United States (US)
67.210.56.23 2 ; United States (US)
68.10.137.200 2 ip68-10-137-200.hr.hr.cox.net; United States (US)
68.34.50.181 2 c-68-34-50-181.hsd1.mi.comcast.net; United States (US)
68.129.33.18 2 static-68-129-33-18.nycmny.fios.verizon.net; United States (US)
68.198.150.65 2 ool-44c69641.dyn.optonline.net; United States (US)
69.19.187.134 2 69-19-187-134.static-ip.telepacific.net; United States (US)
69.77.156.178 2 69-77-156-178.static.skybest.com; United States (US)
69.87.217.243 2 CLOUD-89T44LGN2; United States (US)
69.125.1.18 2 ool-457d0112.dyn.optonline.net; United States (US)
69.160.54.11 2 WEB2012; United States (US)
69.174.171.150 2 c185915-v3292-01-static.csvlinaa.metronetinc.net; United States (US)
69.193.209.138 2 rrcs-69-193-209-138.nyc.biz.rr.com; United States (US)
70.60.5.210 2 rrcs-70-60-5-210.central.biz.rr.com; United States (US)
70.89.79.211 2 70-89-79-211-georgia.hfc.comcastbusiness.net; United States (US)
70.90.200.250 2 70-90-200-250-albuquerque.hfc.comcastbusiness.net; United States (US)
70.90.212.126 2 70-90-212-126-saltlake.hfc.comcastbusiness.net; United States (US)
70.169.140.124 2 wsip-70-169-140-124.hr.hr.cox.net; United States (US)
70.171.217.25 2 ip70-171-217-25.tc.ph.cox.net; United States (US)
70.182.31.80 2 wsip-70-182-31-80.fv.ks.cox.net; United States (US)
70.182.247.14 2 wsip-70-182-247-14.ks.ks.cox.net; United States (US)
71.43.115.10 2 rrcs-71-43-115-10.se.biz.rr.com; United States (US)
71.95.178.34 2 71-95-178-34.static.mtpk.ca.charter.com; United States (US)
71.125.51.247 2 pool-71-125-51-247.nycmny.fios.verizon.net; United States (US)
71.126.153.21 2 static-71-126-153-21.washdc.fios.verizon.net; United States (US)
71.174.248.106 2 static-71-174-248-106.bstnma.fios.verizon.net; United States (US)
71.186.195.114 2 static-71-186-195-114.bflony.fios.verizon.net; United States (US)
71.189.243.4 2 static-71-189-243-4.lsanca.fios.frontiernet.net; United States (US)
71.191.80.42 2 static-71-191-80-42.washdc.fios.verizon.net; United States (US)
71.207.69.236 2 c-71-207-69-236.hsd1.pa.comcast.net; United States (US)
71.224.178.158 2 c-71-224-178-158.hsd1.pa.comcast.net; United States (US)
72.16.147.58 2 72-16-147-58.customerip.birch.net; United States (US)
72.38.44.180 2 d72-38-44-180.commercial1.cgocable.net; Canada (CA)
72.82.230.95 2 static-72-82-230-95.cmdnnj.fios.verizon.net; United States (US)
72.167.43.200 2 ip-72-167-43-200.ip.secureserver.net; United States (US)
72.174.248.122 2 host-72-174-248-122.static.bresnan.net; United States (US)
72.204.63.192 2 ip72-204-63-192.fv.ks.cox.net; United States (US)
72.215.140.252 2 wsip-72-215-140-252.pn.at.cox.net; United States (US)
72.215.215.20 2 wsip-72-215-215-20.no.no.cox.net; United States (US)
72.227.80.102 2 cpe-72-227-80-102.maine.res.rr.com; United States (US)
72.253.213.131 2 ; United States (US)
73.69.143.242 2 c-73-69-143-242.hsd1.ma.comcast.net; United States (US)
73.71.29.17 2 c-73-71-29-17.hsd1.ca.comcast.net; United States (US)
73.142.239.31 2 c-73-142-239-31.hsd1.ct.comcast.net; United States (US)
73.146.72.35 2 c-73-146-72-35.hsd1.in.comcast.net; United States (US)
73.189.105.76 2 c-73-189-105-76.hsd1.ca.comcast.net; United States (US)
73.208.34.64 2 c-73-208-34-64.hsd1.in.comcast.net; United States (US)
74.92.21.17 2 74-92-21-17-newengland.hfc.comcastbusiness.net; United States (US)
74.93.101.9 2 remote.youthfulinnovations.com; United States (US)
74.116.23.151 2 smoke2.bgglobal.net; United States (US)
74.118.182.77 2 res.anniversaryinn.com; United States (US)
74.143.195.146 2 rrcs-74-143-195-146.central.biz.rr.com; United States (US)
75.146.75.109 2 75-146-75-109-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.146.145.189 2 75-146-145-189-stlouispark.mn.minn.hfc.comcastbusiness.net; United States (US)
75.147.156.185 2 75-147-156-185-naples.hfc.comcastbusiness.net; United States (US)
75.149.28.17 2 75-149-28-17-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.30.201 2 75-149-30-201-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.129.98 2 75-149-129-98-connecticut.hfc.comcastbusiness.net; United States (US)
75.150.153.121 2 75-150-153-121-philadelphia.hfc.comcastbusiness.net; United States (US)
75.151.22.138 2 75-151-22-138-michigan.hfc.comcastbusiness.net; United States (US)
81.149.32.248 2 host81-149-32-248.in-addr.btopenworld.com; United Kingdom (GB)
81.149.160.149 2 host81-149-160-149.in-addr.btopenworld.com; United Kingdom (GB)
81.184.4.81 2 81.184.4.81.static.user.ono.com; Spain (ES)
82.70.235.49 2 mail.o-mills.co.uk; United Kingdom (GB)
82.152.42.172 2 ; United Kingdom (GB)
82.163.78.211 2 deals0.outdoor-survival-deals.com; United Kingdom (GB)
84.253.23.243 2 243.23.253.84.static.wline.lns.sme.cust.swisscom.ch; Switzerland (CH)
89.107.57.168 2 CLOUD-CBNJJIKJU; United Kingdom (GB)
93.174.93.162 2 no-reverse-dns-configured.com; Seychelles (SC)
94.173.101.19 2 fpc88091-dund16-2-0-cust18.16-4.static.cable.virginm.net; United Kingdom (GB)
95.143.66.10 2 cpe-et001551.cust.jaguar-network.net; France (FR)
96.2.4.59 2 96-2-4-59-dynamic.midco.net; United States (US)
96.48.86.169 2 s0106002719d04b85.vf.shawcable.net; Canada (CA)
96.56.31.221 2 ool-60381fdd.static.optonline.net; United States (US)
96.56.105.10 2 ool-6038690a.static.optonline.net; United States (US)
96.80.174.85 2 96-80-174-85-static.hfc.comcastbusiness.net; United States (US)
96.80.253.177 2 96-80-253-177-static.hfc.comcastbusiness.net; United States (US)
96.83.33.185 2 96-83-33-185-static.hfc.comcastbusiness.net; United States (US)
96.83.155.97 2 96-83-155-97-static.hfc.comcastbusiness.net; United States (US)
96.85.147.121 2 96-85-147-121-static.hfc.comcastbusiness.net; United States (US)
96.86.193.203 2 96-86-193-203-static.hfc.comcastbusiness.net; United States (US)
96.87.90.37 2 96-87-90-37-static.hfc.comcastbusiness.net; United States (US)
96.89.250.225 2 96-89-250-225-static.hfc.comcastbusiness.net; United States (US)
96.91.83.141 2 96-91-83-141-static.hfc.comcastbusiness.net; United States (US)
96.91.100.241 2 mail.holidayorg.com; United States (US)
96.91.120.121 2 96-91-120-121-static.hfc.comcastbusiness.net; United States (US)
96.93.179.141 2 96-93-179-141-static.hfc.comcastbusiness.net; United States (US)
96.95.3.53 2 96-95-3-53-static.hfc.comcastbusiness.net; United States (US)
96.248.216.162 2 static-96-248-216-162.nrflva.fios.verizon.net; United States (US)
96.250.18.213 2 pool-96-250-18-213.nycmny.fios.verizon.net; United States (US)
96.254.199.133 2 static-96-254-199-133.tampfl.fios.frontiernet.net; United States (US)
97.64.238.118 2 97-64-238-118.client.mchsi.com; United States (US)
97.74.229.216 2 ip-97-74-229-216.ip.secureserver.net; United States (US)
98.209.200.34 2 c-98-209-200-34.hsd1.mi.comcast.net; United States (US)
100.8.29.162 2 static-100-8-29-162.nwrknj.fios.verizon.net; United States (US)
100.12.162.203 2 mail.comjem.com; United States (US)
104.187.243.229 2 104-187-243-229.lightspeed.lnngmi.sbcglobal.net; United States (US)
104.207.135.1 2 104.207.135.1.vultr.com; United States (US)
107.180.77.25 2 ip-107-180-77-25.ip.secureserver.net; United States (US)
108.20.79.148 2 pool-108-20-79-148.bstnma.fios.verizon.net; United States (US)
108.39.247.102 2 pool-108-39-247-102.pitbpa.fios.verizon.net; United States (US)
108.53.118.53 2 pool-108-53-118-53.nwrknj.fios.verizon.net; United States (US)
108.58.195.45 2 ool-6c3ac32d.static.optonline.net; United States (US)
108.60.201.195 2 ; United States (US)
108.61.251.119 2 108.61.251.119.vultr.com; Australia (AU)
108.207.58.163 2 108-207-58-163.lightspeed.lnngmi.sbcglobal.net; United States (US)
109.169.19.116 2 ; United Kingdom (GB)
122.226.196.254 2 ; China (CN)
128.59.46.66 2 dyn-128-59-46-66.dyn.columbia.edu; United States (US)
131.156.136.114 2 ; United States (US)
132.160.48.210 2 ; United States (US)
144.202.132.50 2 144-202-132-50.baltimoretechnologypark.com; United States (US)
146.255.7.75 2 ; United Kingdom (GB)
148.74.244.26 2 ool-944af41a.dyn.optonline.net; United States (US)
162.17.170.225 2 mail.architecturalsheetmetal.com; United States (US)
162.230.118.128 2 162-230-118-128.lightspeed.sntcca.sbcglobal.net; United States (US)
162.231.82.33 2 adsl-162-231-82-33.lightspeed.irvnca.sbcglobal.net; United States (US)
162.246.155.16 2 ; United States (US)
166.62.43.55 2 ip-166-62-43-55.ip.secureserver.net; United States (US)
172.87.144.170 2 rrcs-172-87-144-170.sw.biz.rr.com; United States (US)
172.95.25.4 2 ; United States (US)
173.8.227.70 2 173-8-227-70-denver.hfc.comcastbusiness.net; United States (US)
173.10.137.213 2 173-10-137-213-busname-washingtondc.hfc.comcastbusiness.net; United States (US)
173.12.152.209 2 mail.bfbarchitects.com; United States (US)
173.13.72.50 2 outbound.oceanedge.com; United States (US)
173.14.78.21 2 173-14-78-21-sacramento.hfc.comcastbusiness.net; United States (US)
173.14.220.253 2 173-14-220-253-atlanta.hfc.comcastbusiness.net; United States (US)
173.26.48.212 2 173-26-48-212.client.mchsi.com; United States (US)
173.48.246.52 2 pool-173-48-246-52.bstnma.fios.verizon.net; United States (US)
173.160.91.10 2 173-160-91-10-atlanta.hfc.comcastbusiness.net; United States (US)
173.161.162.68 2 173-161-162-68-philadelphia.hfc.comcastbusiness.net; United States (US)
173.161.224.209 2 173-161-224-209-philadelphia.hfc.comcastbusiness.net; United States (US)
173.193.164.178 2 b2.a4.c1ad.ip4.static.sl-reverse.com; United States (US)
173.197.34.18 2 rrcs-173-197-34-18.west.biz.rr.com; United States (US)
173.220.18.197 2 ool-addc12c5.static.optonline.net; United States (US)
184.16.110.66 2 ; United States (US)
184.176.201.40 2 aexec.com; United States (US)
184.183.152.219 2 wsip-184-183-152-219.ph.ph.cox.net; United States (US)
185.52.248.40 2 ; Germany (DE)
185.129.148.169 2 ; Latvia (LV)
192.198.250.202 2 rrcs-192-198-250-202.sw.biz.rr.com; United States (US)
199.96.115.98 2 ; United States (US)
204.193.139.81 2 ; United States (US)
206.145.187.193 2 morriselectronics.net; United States (US)
208.38.233.43 2 c187290-03-v3409-static.nmchinaa.metronetinc.net; United States (US)
208.75.244.130 2 mail.aisin-electronics.com; United States (US)
208.105.170.100 2 rrcs-208-105-170-100.nys.biz.rr.com; United States (US)
208.180.181.72 2 208-180-181-72.mdlncmtk01.com.sta.suddenlink.net; United States (US)
209.240.184.73 2 OGKCPIPE.nwol.net; United States (US)
213.109.80.18 2 s-213-109-80-18.under.net.ua; Ukraine (UA)
216.81.103.42 2 ; United States (US)
216.170.126.36 2 ; United States (US)
216.176.177.92 2 ; United States (US)

A new brute force protection platform – Are you up for it ?

brute force protection
I firmly believe there’s a need for good brute force protection products. The ones currently available simply aren’t good enough for larger corparet needs or Cloud Service Providers really or they’re too expensive and complicated to use..

Some possibkle improvements are already out there for some of them such as Cyberarms going Open Source. At the time I helped start up Syspeace, I would say that Cyberarms was the main competitor and I was really surprised and sad they eventually decided to end their business.

With that said, there’s a good foundation using their code and improving it and modernizing it because there’s a lot of critical things missing in there in order to actually be useful for enterprises the way I see it. Actually quite a few and there needs to be new functionality in there too. Not really disclosing my thoughts here about it though.

The two ways to go about this, the way I see anyway, is to ..

Open Source and brute force prevention

… sit down and have a close look at for instance the Cyberarms code and help out as an Open Source developer and try to get a product that’s free and beneficial for everyone.
The downside to that is, as with most Open Source, that if you’re a system administrator and something doesn’t work, you might want to have access to an actual support, helpdesk and getting help in troubleshooting. You also may want to be assured that development will continue.
You simply don’t have the time to search forums or read through the code to try and figure out what’s wrong or how to improve it and often enough, system administrators aren’t developers. I know I’m not very good at writing code myself anyway.

There’s also the risk of people coding losing interest of an Open Source project, since they don’t make any money out of it and eventually start feeling they’re just wasting free time, resulting in that the product will eventually just die or stay stagnant and eventually become obsolete.

Creating a new brute force protection platform as a business idea

The second path would be to start up a new project with developers, marketing people and investors to actually build a product that is useful for enteprises and cloud providers and so on. Such a product needs to have quite a lot of functionality added compared to the ones that are already out there but with the right people and effort it can be done. I’m absolutuely sure of it.
These new ideas and functionalites are probably best provided by people who actually deal with these questions on a day to day basis i.e System Administrators, Server Managers and so on..

As you may or may not know I was previously deeply involved in the creation and startup of Syspeace.
I had the original idea for a brute force protection software and was a part of most aspects it but unfortuantely we just couldn’t agree on what was reasonable on the business side of it once our initial agreement ended so I decided to go with the “live and let die” policy.
It basically just took too much energy from me to haggle and not getting anywhere really and frankly, the project had become stagnant the way I saw it so consider this plan B.

The future then? Can it be made viable as a business idea ?

Basically what I’m driving at is this, are there the right people out there? Anyone up for starting up a new project  and try to create an even better brute force protection and security platform with me?
I have already had a few feelers with other companies and there is an interest to be part of such a project. The best scenario would probably be to get in touch with a development company that already has developers and want to broaden their portfolio with a security product but on the other hand, it can be a very small staff of people doing it too.

I’m not opposed to investing myself also and since I know the finances behind such a product and what it can generate I have a reason to believe in it, both tecnincally and businesswise.
Remember, the market is worldwide. It’s not geographically confined and that’s why I’m actually writing this in English, altough for me personally , the startup of such a project would be easier if it were in Sweden. I’m. just thinking practically.

I’ve already done it once and I believe it can be done again but even better. I’ve already seen the mistakes so to speak.
Of course there are other ways too, such as Crowdfunding and FundedByMe and all that but I firmly believe not only do you have to have the finances settled but also be sure to have the right people involved, willing to invest their time and focus.

At the moment it’s just a thought from my side and nothing has really taken any shape (apart from registering a domain for it really) but I would hate to throw away all the ideas, knowledge and experience I have around such a project. I think I have a pretty good incling of budgets, the business side and of course the technical aspects and funtionality of what such a product should be.

So, if you’re up for it, just contact me or give me call and say hi and we’ll take it from there?

I think the time would be more or less now because I’m certain there’s stuff going on in other places too so in order to get a product up and running and get marketshares, this would be the time to do it.

Ditt namn (obligatorisk)

Företag

Din epost (obligatorisk)

Telefon

Ämne (obligatorisk)

Ditt meddelande (obligatorisk)

NĂ€r och hur vill ni bli kontaktade?
TelefonE PostPersonligt möteFörmiddagEftermiddagKvÀll

Vad gÀller saken ? VÀlj en eller flera omrÄden om du vill

FrÄn nÀr behöver ni hjÀlp ?

Skriv in nedanstÄende text för verifiering (obligatorisk)

captcha

 

Mitigation strategies for securing server environments

This is a good start for mitigation planning for various attack scenarios.

I did not compile this list myself and the original can be found here . I might add a few thing in here but is very good strat indeed. Well done
https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Den hÀr listan Àr en vÀldigt bra början för att planera och förhindra olika typer av attacker och hantera sÀkerhetsaspekter frÄn olika synvinklar.

För hjÀlp med frÄgor som dessa, kontakta mig gÀrna hÀr

 

backup / restore , Disaster Recovery, IT sÀkerhet, molntjÀnster och Syspeace mitigation strategies

MITIGATION STRATEGIES

Mitigation strategies summary

Relative security effectiveness rating Mitigation strategy Potential user resistance Upfront cost (staff, equipment, technical complexity) Ongoing maintenance cost (mainly staff)
Mitigation strategies to prevent malware delivery and execution
Essential Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Medium High Medium
Essential Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Low High High
Essential Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Medium Medium Medium
Essential User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Medium Medium Medium
Excellent Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. Low High Medium
Excellent Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. Medium Medium Medium
Excellent Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. Medium Medium Medium
Excellent Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections. Medium Medium Low
Excellent Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Low Low Low
Very good Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high-availability) data. Low Medium Medium
Very good Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD. Medium Medium Low
Very good Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Very good Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices. High High Medium
Very good Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. Low Low Low
Good User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. Medium High Medium
Limited Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Limited TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. Low Low Low
Mitigation strategies to limit the extent of cyber security incidents
Essential Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Medium High Medium
Essential Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Low Medium Medium
Essential Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository. Medium High Medium
Excellent Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. Low Medium Low
Excellent Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties. Low High Medium
Excellent Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases. Medium Medium Low
Very good Non-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files. Medium Medium Medium
Very good Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic. Low Medium Medium
Very good Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. Medium Medium Medium
Very good Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. Medium Medium Medium
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity. Low Very
high
Very
high
Very good Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence. Low Medium Medium
Very good Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option. Low Medium Medium
Very good Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. Low Very
high
Very
high
Limited Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. Low High Medium
Limited Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. Low High Medium
Mitigation strategies to recover data and system availability
Essential Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Low High High
Very good Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. Low High Medium
Very good System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. Low High Medium
Mitigation strategy specific to preventing malicious insiders
Very good Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. High High High

 

 

For questions or help within these areas, please feel free to contact me here

Syspeace vs Cyberarms – Bruteforce prevention for Windows Servers

Syspeace vs CyberarmsA few years back I had an idea about a Host Intrusion Prevention System for Windows servers. I did try to write a proof of concept myself and I did have a pretty good idea of how it should work and what mistakes to avoid. I ran into a Swedish development company by coincidence and I told them about my idea, showed them som proofs of concepts and we decided to create this product together and that’s what eventually became Syspeace.

We had a perfectly fine collaboration for a few years but sad to say I’m no longer associated with Syspeace. Anyaway, this post isn’t about that really. Not getting into how I feel about that but I’m sure you can imagine.

Anyway, a German competitor called Cyberarms with their product IDDS did however actually manage to release their product just a couple of months prior to us. Our product was still in a testing phase at the time. Out of loyalty and so on, of course I stuck to using Syspeace but there were always a few things that bothered me.
For instance, when running SSL on RDP connections, the eventid 4625 in the Windows Securitylog didn’t record the source IPaddress, thus making it impossible for Syspeace to block anything. Using SSL on RDP connections and so on makes stuff fareasier if you’re hosting Terminal Servers (Remotdesktop Servers and RemoteApp servers) in regards to network security, error messages to clients and so on. It just helps you out a lot having valid SSL certificates.

Syspeace worked perfectly fine for blocking attacks when the source IP address was recorded but otherwise not.
There are a few workarounds and I have written about them earlier but none of them are really good and there are pros and cons to them. This lack of functionality (meaning Syspeace not blocking all attempts but merely the ones containing the source IP address) was always a big problem and it was intended to be fixed but they never really got around to doing so.
I’m sure they will but it has taken a long time though.

As of December 2016, Cyberarms decided to release their software as Open Source (my understanding is that they couldn’t find new investors for continuing but I don’t know really ) so of course I got curious and decided to take it for a spin.

The blocking works fine. It blocks IP addresses with their SSL/TLS agent perfectly fine and it’s free to use so why not use it?

Well. A few things to consider here though and you really might want to think about them before implementing Cyberarms IDDS on larger scale.

Syspeace vs Cyberarms

First of all , the notification email you get from Cyberarms contains far too little information for it to be useful in a datacenter environment or at a Cloud Service provider. If you’re simplt protecting your PC at home, sure but if your’re mmanaginfg a larger server environment it will become a nightmare.

If you get an email simply saying “The IP address xxx.xxx.xxx.xxx has been locked” and you get a few hundred of those, it’s not very useful to you as a sysadmin I’m afraid.

You need to quickly be able to see Geopgraphical information and the login name used in order to know whether it’s an actual attempt to use valid usernames and access data or if it’s just an automated “background noice attack”. With that said, do not underestimate those background nice attacks since they do use up resources like CPU and RAM on your servers. They can also be an attempt to hide other kinds of hacking attacks simply by “hiding in the noice”.

Another thing that Cyberarms lacks is an automatic “Reset on success” feature which in essence means that if you have a customer connecting to your services from behind a firewall and someone at the customer side mistypes their password, the IP address will be blocked. Works as designed in both Cyberarms and Syspeace.

In Syspeace though , there is a default mechanism for also keeping track of succesful logins and with some builtin logic, actuallynot banning the IP address if someone else succeeds with their login attempt from behind that same firewall. The toought behind it is of course to minimize false positives and hopefully not blocking your customers from your services. It’s not foolproof but it works well enough.

In Sypeace, the rules you can set are also more flexible including parameters such as a time window. This is very useful for you to catch “slow grinding” attempts meaning hackers that want to stay under the radar for products such as Syspeace and Cyberarms.

Cyberarms does not have access reports built in to it like it’s built into Sysepace which from time to time can be very useful for a sysadmin.

When you starting up Cybrarms intiially, no agents are activated by default so there’s more of a “how-to” tip for you.

Cyberarms doesn’t not support Windows Server 2003, while Syspeace does.

Syspeace does have an unfortunate built in flaw at the moment making it’s database grow above it’s limit of 4 GB in some scenarios but I’m sure that will be sorted too.
Whether Syspeace (or Cyberarms for that matter) would work on Nano installations and GUIless servers is another quiestion. My guess is that they bort need to be rewritten. None of them support a central managemant interface wich would be nice to have so you don’t have to RDP yourself to each server to make changes. I’m sutre there will be such a feature in either on of them though.

Still, Cyberarms does a good job at finding attacks and here’s how I’ve started using the two in conjunction.

In all honesty, my dream scenario would have been for the two to join forces, getting the best from each product and build a great product together. In fact, I’m sure an even greater product can be built for these things and and adjacent things  so if anyone’s up a for it, I’m game.I have quite a few ideas for new functionality and features for such a product already..or who knows,I might even end up being a part of the Syspeace team again.

Since IDDS is now Open Source I guess I could sit down and amp it up with the features I want to have in it but truth told, I’m not a good developer really. I have ideas and I know how it should work but getting to the actual coding would just take to much time for me.

Anyway … Here’s how I’m using both of them at the same time for now anyway
I have the set the block rules higher in Cyberarms than in Syspeace, therefore giving Syspeace the chance to do the initial blocking and getting better emails sent to me.

Below is an example of an email alert sent by Syspeace.

Blocked address 182.184.78.244 (SERVER-C7BF2B28) [Pakistan] 2017-02-20 10:10:00 Rule used:
Type of block: Windows login
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 04:00:00
Previous observations of this IP address:
2017-02-20 06:09:59 *****\administrator
2017-02-20 06:09:57 *****\administrator
2017-02-20 06:09:55 *****\administrator
2017-02-20 06:09:52 *****\administrator
2017-02-20 06:09:50 *****\administrator

I’ve set Cyberarms to block after a higher number of intrusion attempts than Syspeace , getting it to catch those SSL/TLS

attacks since Syspeace can’t handle them at the moment.

Below is an example of the alert sent from Cyberarms.
Client with IP address 155.207.18.189 was hard locked

As you can see, the Cyberarms email doesn’t really provide me with any useful information as a sysadmin meaning for me to actually deal with it, I need to manually find out from where the attack originated, what username was used in order to decide whether it’s serious or not. Of course I could probably write something in .Net utilizing the Cyberarms logfile to get better notifications with more information but that shlould be built into the software really looking more like the Syspeace alerts.

The Syspeace notification isn’t prefect either but it is far better. I would also like to see what port was targeted and what process was targeted, i.e the running .exe.
That would be a quicker way for me as a Sysadmin to determine what’s really going on.

They both have Daily Reports and Weekly Reports so I thought I’d also incklude one of each from the same server and the same time window. I think you’ll noticed the difference and ralize why the SSL/TLS functionality is so crucial to have in place

Syspeace Report for week 2017-02-13 – 2017-02-19

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
23.236.77.157 1 XS2323677157; United States (US)
47.34.65.227 1 47-34-65-227.dhcp.stls.mo.charter.com; United States (US)
52.14.84.148 6 ec2-52-14-84-148.us-east-2.compute.amazonaws.com; United States (US)
73.37.131.61 1 c-73-37-131-61.hsd1.mn.comcast.net; United States (US)
89.247.148.40 1 i59f79428.versanet.de; Germany (DE)
119.59.80.66 1 119-59-80-66.rdns.afghan-wireless.com; United States (US)
151.54.163.83 1 ; Italy (IT)
183.250.25.70 1 ; China (CN)
185.94.99.245 1 ; Iran, Islamic Republic of (IR)
189.26.112.234 2 corporativo.gvt.net.br; Brazil (BR)
193.34.9.171 1 nlink.nesso.ru; Russian Federation (RU)
202.104.33.34 1 ; China (CN)
203.146.142.62 1 ; Thailand (TH)
213.87.96.182 1 host.mrdv-1.mtsnet.ru; Russian Federation (RU)
213.136.87.8 1 vms8.riseforce.net; Germany (DE)
222.184.121.194 1 ; China (CN)
222.209.233.89 1 89.233.209.222.broad.cd.sc.dynamic.163data.com.cn; China (CN)

//  I Have removed the hourly breakdown opart from this report here //

Generated 2017-02-20 00:04:58 for machine ***.****.** by Syspeace v2.5.2.0

 

Cyberarms Weekly Report
Week of 2017-2-13
Installation Information
Server: ****
Events per Agent
Agent name Intrusion attempts Soft locks Hard locks
TLS/SSL Security Agent 1238 215 82
Windows Base Security Agent 133 0 1
Total 1371 215 83
Intrusion attempts by IP address
Client IP Intrusion attempts
1.192.144.148 1
104.43.19.172 1
118.69.171.47 1
146.185.239.117 1
149.3.47.190 1
169.50.7.234 1
200.2.192.186 1
207.225.237.110 1
208.44.83.36 1
209.249.81.231 1
211.72.12.36 1
212.175.49.50 1
212.92.127.126 1
213.89.246.166 1
217.208.101.73 1
217.23.11.249 1
217.8.84.31 1
223.25.241.88 1
37.0.20.79 1
39.109.11.209 1
5.150.237.244 1
50.193.208.177 1
50.203.20.67 1
54.243.236.34 1
68.44.212.144 1
70.169.12.6 1
75.71.25.220 1
78.188.193.185 1
8.21.216.2 1
80.82.77.34 1
82.80.252.200 1
83.137.55.249 1
85.105.245.147 1
88.99.8.164 1
91.121.64.15 1
91.200.12.75 1
91.215.120.225 1
92.51.70.248 1
94.43.33.178 1
96.80.87.202 1
98.101.132.98 1
104.185.131.1 2
12.201.134.132 2
173.226.255.254 2
185.56.82.58 2
197.242.149.19 2
208.184.124.150 2
216.162.88.19 2
216.236.16.89 2
217.34.0.133 2
5.175.0.111 2
63.253.50.210 2
66.229.43.193 2
68.15.114.164 2
76.71.75.79 2
83.69.223.227 2
85.72.58.154 2
96.80.60.1 2
98.112.92.39 2
108.242.76.81 3
178.208.128.131 3
206.252.196.162 3
210.109.189.218 3
217.34.0.135 3
75.127.164.214 3
90.168.232.247 3
108.60.96.19 4
117.218.128.22 4
12.30.90.162 4
208.78.220.145 4
208.81.109.6 4
23.102.44.152 4
38.88.150.106 4
40.85.92.80 4
52.187.36.243 4
52.228.35.94 4
52.228.40.215 4
52.228.42.136 4
66.64.166.178 4
66.84.140.17 4
91.183.212.73 4
144.139.207.212 5
212.83.168.244 5
213.136.87.8 5
216.162.88.62 5
217.148.113.118 5
217.91.224.26 5
222.184.121.194 5
23.235.162.34 5
23.236.77.157 5
52.228.46.46 5
67.55.103.188 5
73.37.131.61 5
85.93.93.116 5
89.30.240.164 5
98.103.178.186 5
119.59.80.66 6
183.250.25.70 6
185.94.99.245 6
189.26.112.234 6
202.104.33.34 6
203.146.142.62 6
212.170.198.61 6
213.87.96.182 6
222.209.233.89 6
46.185.117.106 6
89.247.148.40 6
108.58.0.234 7
109.73.46.130 7
12.199.176.194 7
121.161.141.239 7
151.54.163.83 7
155.133.82.102 7
159.122.106.114 7
159.253.26.77 7
169.50.22.186 7
185.130.226.42 7
185.93.183.218 7
185.94.193.75 7
190.145.28.67 7
193.34.9.171 7
193.86.185.50 7
198.23.210.133 7
199.167.138.110 7
201.161.36.162 7
201.18.18.151 7
211.52.64.52 7
213.136.79.237 7
218.60.57.131 7
27.254.150.30 7
35.156.247.241 7
35.157.110.187 7
47.88.33.114 7
5.122.136.4 7
5.196.215.194 7
59.175.128.108 7
64.110.25.6 7
69.166.130.134 7
79.120.40.185 7
83.110.74.36 7
84.55.94.211 7
89.185.246.67 7
89.185.246.79 7
89.185.246.95 7
91.218.112.173 7
94.102.51.124 7
94.107.233.189 7
94.142.142.156 7
121.175.229.89 8
125.227.100.10 8
141.255.188.47 8
155.133.82.50 8
185.109.255.12 8
185.109.255.13 8
213.124.64.27 8
31.44.191.8 8
47.34.65.227 8
47.90.16.194 8
52.233.26.114 8
62.210.244.44 8
65.61.102.251 8
76.70.18.47 8
80.82.79.228 8
83.136.86.179 8
104.160.176.45 9
109.228.26.93 9
114.34.79.103 9
116.125.127.101 9
170.161.62.42 9
172.245.222.8 9
173.10.107.141 9
173.74.198.161 9
178.159.36.150 9
185.159.145.26 9
194.61.64.252 9
198.27.119.249 9
207.233.75.39 9
212.86.108.191 9
23.249.224.189 9
31.145.15.3 9
37.46.255.63 9
37.75.11.86 9
40.139.95.146 9
5.135.7.98 9
5.39.222.19 9
50.243.143.129 9
52.174.36.251 9
52.187.37.144 9
52.232.112.92 9
58.221.59.22 9
78.154.13.222 9
91.211.2.20 9
95.154.22.236 9
144.130.57.185 10
50.247.156.86 10
74.95.221.25 10
194.17.59.90 11
93.174.93.162 11
118.34.230.5 12
213.179.6.49 12
43.254.126.10 12
103.54.250.94 13
174.4.72.229 13
146.0.74.126 14
203.128.240.130 14
5.39.223.166 14
2.139.204.18 17
74.203.160.89 17
93.115.85.228 17
185.159.36.122 18
195.154.52.156 18
24.249.158.60 18
31.184.197.6 18
52.14.84.148 19
185.70.186.140 21
119.145.165.86 23
91.211.2.109 54
Total 1371
Soft locks by IP address
Client IP Soft locks
108.58.0.234 1
109.73.46.130 1
12.199.176.194 1
12.201.134.132 1
121.175.229.89 1
144.130.57.185 1
155.133.82.102 1
155.133.82.50 1
159.122.106.114 1
159.253.26.77 1
169.50.22.186 1
173.226.255.254 1
185.130.226.42 1
185.93.183.218 1
185.94.193.75 1
190.145.28.67 1
193.86.185.50 1
197.242.149.19 1
198.23.210.133 1
199.167.138.110 1
201.161.36.162 1
201.18.18.151 1
208.184.124.150 1
211.52.64.52 1
213.136.79.237 1
216.162.88.19 1
217.34.0.133 1
218.60.57.131 1
27.254.150.30 1
35.156.247.241 1
35.157.110.187 1
43.254.126.10 1
47.88.33.114 1
47.90.16.194 1
5.122.136.4 1
5.196.215.194 1
59.175.128.108 1
62.210.244.44 1
63.253.50.210 1
64.110.25.6 1
66.229.43.193 1
68.15.114.164 1
68.44.212.144 1
69.166.130.134 1
76.71.75.79 1
79.120.40.185 1
83.110.74.36 1
84.55.94.211 1
89.185.246.67 1
89.185.246.79 1
89.185.246.95 1
91.218.112.173 1
93.174.93.162 1
94.102.51.124 1
94.107.233.189 1
94.142.142.156 1
96.80.60.1 1
98.112.92.39 1
104.160.176.45 2
108.60.96.19 2
109.228.26.93 2
114.34.79.103 2
116.125.127.101 2
12.30.90.162 2
141.255.188.47 2
146.0.74.126 2
170.161.62.42 2
172.245.222.8 2
173.10.107.141 2
173.74.198.161 2
178.159.36.150 2
185.109.255.12 2
185.109.255.13 2
185.159.145.26 2
194.61.64.252 2
198.27.119.249 2
2.139.204.18 2
206.252.196.162 2
207.233.75.39 2
208.78.220.145 2
208.81.109.6 2
212.86.108.191 2
213.124.64.27 2
217.34.0.135 2
23.102.44.152 2
23.249.224.189 2
31.145.15.3 2
31.44.191.8 2
37.46.255.63 2
37.75.11.86 2
38.88.150.106 2
40.139.95.146 2
40.85.92.80 2
5.135.7.98 2
5.39.222.19 2
5.39.223.166 2
50.243.143.129 2
50.247.156.86 2
52.14.84.148 2
52.174.36.251 2
52.187.36.243 2
52.187.37.144 2
52.228.35.94 2
52.228.40.215 2
52.228.42.136 2
52.232.112.92 2
52.233.26.114 2
58.221.59.22 2
65.61.102.251 2
66.64.166.178 2
66.84.140.17 2
78.154.13.222 2
80.82.79.228 2
83.136.86.179 2
91.211.2.20 2
95.154.22.236 2
118.34.230.5 3
185.70.186.140 3
24.249.158.60 3
119.145.165.86 4
185.159.36.122 4
195.154.52.156 4
31.184.197.6 4
93.115.85.228 4
91.211.2.109 12
Total 215
Hard locks by IP address
Client IP Hard locks
104.160.176.45 1
104.43.19.172 1
108.60.96.19 1
109.228.26.93 1
114.34.79.103 1
116.125.127.101 1
118.34.230.5 1
118.69.171.47 1
119.145.165.86 1
12.201.134.132 1
12.30.90.162 1
170.161.62.42 1
172.245.222.8 1
173.10.107.141 1
173.226.255.254 1
173.74.198.161 1
178.159.36.150 1
185.159.145.26 1
194.61.64.252 1
197.242.149.19 1
198.27.119.249 1
2.139.204.18 1
200.2.192.186 1
207.225.237.110 1
207.233.75.39 1
208.184.124.150 1
208.78.220.145 1
208.81.109.6 1
209.249.81.231 1
212.86.108.191 1
216.162.88.19 1
217.34.0.133 1
217.34.0.135 1
223.25.241.88 1
23.102.44.152 1
23.249.224.189 1
31.145.15.3 1
37.46.255.63 1
37.75.11.86 1
38.88.150.106 1
40.139.95.146 1
40.85.92.80 1
5.135.7.98 1
5.39.222.19 1
50.193.208.177 1
50.203.20.67 1
50.243.143.129 1
50.247.156.86 1
52.174.36.251 1
52.187.36.243 1
52.187.37.144 1
52.228.35.94 1
52.228.40.215 1
52.228.42.136 1
52.232.112.92 1
54.243.236.34 1
58.221.59.22 1
63.253.50.210 1
66.64.166.178 1
66.84.140.17 1
68.15.114.164 1
78.154.13.222 1
8.21.216.2 1
91.211.2.20 1
93.115.85.228 1
95.154.22.236 1
96.80.60.1 1
98.101.132.98 1
98.112.92.39 1
185.159.36.122 2
195.154.52.156 2
31.184.197.6 2
52.14.84.148 2
91.211.2.109 6
Total 83
To configure reporting options, please use the IDDS administration software on your server.

With that said, I would recommend people using both of them in order to minimize brute force and dictionary attacks against Windows servers.

Should you need assistance or have questions, please feel free to contact me here

Securing Windows Server with a baseline security

JufCorp AB hjÀlper företag och föreningar med frÄgor inom backup / restore , Disaster Recovery, IT sÀkerhet, molntjÀnster och Syspeace

Securing Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security.  That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

 

Securing Windows Server with an acceptable baseline security

  • 1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.
  • 2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for Servers and Workstations for lots of reasons. It’s not just a pretty logo. If you need licenses or assistance, please feel free to contact me here
  • 3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.
  • 4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.
  • 5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.
  • 7. Have a good monitoring and inventory system in place such as the free SpiceWorks and I also recently discovered Sitemonitoring at Sourceforge that I liked. Unfortunately Sitemonitoring only works for HTTP responses , I’d love to also have it work for pure port monitoring.
  • 8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared incas of hardware failures. If possible, also have spare parts readu for the common failures such as hard drives and PSu (Power Supply Units)
  • 9. Use Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.
  • 10. If your server is reachable from the Internet, use valid SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able.
    Yes, think Mr. Snowden.Think NSA. There’s a few more things to consider when installing SSL on servers such as disabling weak cryptos and testing youÂŽv done so correctly. I like using SSL Labs free test.
  • 11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.
  • 12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
    If people are having trouble remembering passwords the have all over the world, maybe you could have them read this blog post I wrote about rememebering complex passwords
    and on the topic of online passwords and identities, they migh also want to read this post about protecting your online identity  also.
  • 13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post (still on the Syspeace Blog site though )  on why
  • 14. Backups! Backups! and again. BACKUPS!!
    Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
    You can also use the built in Windows Server backup for DR as described here
  • 15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why . I you don’t have the time to read the article then simply download the free Syspeace trial or contact me for licenses and consulting regarding Brute force prevention

If you’re up for it, I’ve written a few other related posts here:

Securing your datacenter part 1 – Physical aspects
and
Securing your datacenter part II – Networking

There’s also a third one but to be honest , I can’t remember where I published it. This is one of the reasons I’m moving basically everyting I’ve written to my own website instead . Easier to maintain .
Keep it simple and easy is alway a good approach. 🙂

By Juha Jurvanen @ JufCorp

Securing your datacenter – Physical aspects

Securing your datacenter - Juha Jurvanen JufCorp AB

A basic guide to securing your datacenter- part 1

This blog post is intended only as a basic guide to securing your datacenter and it’s a repost with some new stuff added into it. I also wrote a couple of follow ups to it that I will repost later.

It is not intended to be the gospel of security since, well.. let’s be honest, there is no such thing as absolute security.

As an example, in Sweden there was a case where a computer was locked in a vault, with no network access whatsoever and only a few people had access to it and still, it leaked information to foreign countries. Yes . a computer controlled by the military.

Absolute computer security is a myth and a beautiful dream. With that said, system administrators can still do a lot to make more difficult to access data and prevent attacks and sabotage to their systems.
Let’s start off with physical aspects .

The actual georgraphic location

Where is your server actually located and who has physical access to it?

Resetting administrator passwords or root passwords

Once you gain physical access to a sever, there are numerous way of accessing the data. The root password or Active Directory Domain Administrator password or NDS Admin password can be easily reset (yes, the sentence “easily reset” is used loosely) with a USB stick and booting the server. Have look a at for instance HIren’s Boot CD, Burglar for NDS or just play around with Google and search for terms such as “Reset administrator password”, “decrypt password” and so on .
You’ll be amazed when you realize how easy it actually is. Personally, I always carry with me some USB stick that enables me to boot up any system and “have my way with it”
So, we need to secure the server from outside access. The data center must be protected with card keys, cameras and access control. We need to who and why they are in the data center in the first place.For instance, a janitor or cleaning staff tends to have complete access due to what they do. Many companies hire outside help to get these kinds of jobs done.

Sabotage and disrupted data services

If I wanted to gain access to server, I would try to infiltrate one of those subcontractors to get a job as a let’s say janitor, and try to gain access to the data center somehow and from there, I can basically do what ever I wanted with the servers.
Maybe my goal wouldn’t be to steal data but to kill the data operations by corrupting the filesystems on the servers (for instance just “piping” data into various files from command prompt or hding files behind other files ), randomly switch disks on RAID systems or just put small holes in network cables to cause network errors, trigger an EMP in the data center and so on .
There would be numerous ways to disrupt the data operations, once i gained access to the data center or servers room.

Information theft

If I’m out to steal data, I would probably not target the servers themselves but instead I’d start looking for backup tapes or backup disks. Far too many companies have their backups in the same location as the servers themselves and since the backups usually are not encrypted , I’d go for stealing a complete backup set, go home and start doing a scan of the tapes to figure out what backup software was used and then do a complete restore of it all.
The backups are most likely to contain the data I’m after, although probably a maximum of 24 hours old but from them I can gain access to all kinds of information about the operations and crack administrative passwords for the server systems and so on . In the comfort of my own data center. or my couch.
This way would of require some skill of Disaster Recovery scenarios and how to get data back from backups but I’m fairly sure I’m not he only one in the world who has the expertise in those matters.

Backups are always a weak point from several aspects.

You need to know who has access to them , at all times.
If you are company that for instance have your backups shipped to another location on a daily basis or weekly, you need to know that people handling them haven’t been compromised. It wouldn’t take that long for anyone with the proper skills do clone your tapes or disks en route to their destination and you would have no way of telling they’d been cloned. In that scenario, all of your critical data would be in the wild, without you actually knowing it.

If you are using any kind of online backup service, remember to choose your encryption password wisely and be extremely restrictive with who has the password. A lot of backup software do not let you change the encryption password without doing the first backup all over again, thus doubling your usage of space and your costs.
Still , I highly recommend you use an encryption password for several reasons.
If you don’t use it, it’s just pure laziness and fear of administrative hassle and that’s just not an excuse. The risk of people at your online backup provider being able to access your data is of course also an obvious risk. Do you know these people and how could you be absolutely certain that they aren’t poking around in your data and maybe giving it to your competitors?

If you are thinking about online backups there are a few very essential questions you should ask yourself but we’ll get back to that later in another post.
Do not use the same encryption password as you have for Root / Administrator / Admin . ThatÂŽs just crazy talk. Use a password generator to create a unique password. This is also very much valid for tape backups or backups on NAS / disk. Always encrypt your backups with password and be very, very restrictive with who has the password.

If an employee quits your company or an outside consultant quits his project and he / she has had knowledge of the password, change it.

If you’re doing a planned Disaster Recovery test for instance, change the administrative passwords right after the DR test , thus not enabling anyone to reuse what they’ve found out during the test
During the actual DR test, you should be there and be the one that actually types in the encryption password for the backups, not any outside technicians or consultants , not even the online backup service provider or your Disaster Recovery Service Provider. You , and you alone should be the one that has those passwords.
I’ll will return to backup questions and stuff regarding DR plans and so further down the line in some upcoming blog post
So, the conclusion is, always know who and why people are in proximity of your servers and NEVER let anyone be there alone without supervision and here’s a few more pointers.

A short cheatsheet for datacenters

  1. Always have you data center locked and secured from unauthorized access, If you have the means, also have it secured against an EMP attack from the outside. Of course, I haven’t even touched the subjects but be sure your data center has all the necessary fire prevention/extinction equipment in place, UPS backups and , if possible, also an outside source for generating current in case the UPS or battery runs out of current. There should also be a system in place for protecting you servers against spikes in current.
    Be sure to know where water pipes are running in the building so you don’t place your server directly underneath one.
  2. Don’t keep cardboard or any other kind of flammable materials in the data center. Be sure to take them with you when you’ve set up a new server or switched disks. Don’t be lazy. The cost of laziness can be extreme.
  3. In the data center, always have your servers locked in cabinets that requires keys and access card to gain physical access to keyboards and stuff. Also remember to protect the cabling and the back of the servers! Never have a server logged on the console. Be sure to have all cabling to the and from the firewall and the internet access secured.
  4. If you’re “expecting company” i.e. external consultant and so on, be sure to think abut NOT having different kinds of network maps, administrative passwords and different kinds of information in plain sight for anyone to see. I’ve seen it hundreds of times, the IT department having their entire IT operations and information of their systems on white boards or on print on documents next to their workstations. It’s very quick and easy to take a picture of it with a cell phone and once you understand the infrastructure you can also start exploring weak points in it.
    Sure , it makes their lives easier but as one might gather, it also makes the life of the attacker easier. Knowledge is a powerful weapon, especially when it comes to data protection
  5. Don’t have software laying around in the data center with software keys and stuff on them . All it takes is a mobile phone for someone to coy your license keys thus possibly putting you in an awkard situation having to explain to Microsoft for instance how come that your Volume License keys are a bit too easy to find on Piratebay, thus putting you n the risk of your licenses becoming invalid and bringing your server operations to a halt , or at least a shoer disruption.
  6. Know where your backups are, at all times. Have them encrypted. If using online backup services, be sure to use an encryption key and , if possible, be sure to have restrictions on the online backup service providers end on to and from where backups and restores are allowed
  7. Do not allow mobile phones in the data center due to the risk of people photographing your equipment or software license keys or using the mobile phones to copy data via USB cables and stuff.
  8. If possible, disable any USB ports on your servers. This can be done in the BIOS (and of course also have a sysmtem password for accessing the BIOS, a unique one for each server ) or you can physically kill it by putting glue or semothing in there (I haven’t tried that myself so do try at your own risk .. )
  9. If you are sharing a data center with others, there is no need for you to have your company logo or anything revealing the servers are yours. Keep it as anonymous as possible. There is also no need for you to tell anyone where your servers are physically located (although it can be fairly easy for anyone to fin out using traceroute commands and so on ),
  10. Be sure to have a Disaster Recover Plan (DRP ) / Business Continuity Plan (BCP) if your site is compromised or an accident should occur. Also in this case, treat the secondary DR location as mission critical data. Far too often, the secondary site is forgotten and poorly updated.
  11. Once again, do not underestimate the powers of social engineering. Although it’s not hacking in the usual sense, it’s merely good acting but it can still be as harmful as I’m trying to point out here

So, there’s a few tips anyway and that’s just the start really. It’s not a complete recipe for securing your physical environment and I’m sure I’ve missed out loads of stuff but it’s a start anyways.

I hope you you liked this post and I’d love to hear you thoughts on it and if you want me to write a few others on the matters of securing your server operations, I was thinking in the lines of brute force protection, change management, 0day attacks, certificate management , password policies, protecting web servers and so on , You get the picture 🙂

// Juha Jurvanen

Contact me

Senior consultant in backup, IT security, server operations and cloud

Nya sÄrbarheter hittade i All in one SEO plug in för WordPress

backup konsult restore it sÀkerhet

All in one SEO Ă€r ett vĂ€ldigt populĂ€rt tillĂ€gg för mĂ„nga som anvĂ€nder WordPress. Precis som det konkurrerande Yoast SEO hjĂ€lper den bloggare att hĂ„lla koll pĂ„ hur sökmotorer som Google uppfattar olika inlĂ€gg och de kan anpassa sina texter och sökord för bĂ€ttre spridning. 

PĂ„ senaste tiden har dock flera sĂ„rbarheter hittats i tillĂ€gget och rekommendationerna Ă€r att uppdatera till version 2.3.8 
För befintliga kunder Àr det hÀr saker jag naturligtvis tar hand om men för andra sÄ rekommenderar jag som sagt att alltid hÄlla era tillÀgg uppdaterade dÄ gamla tillÀgg och teman alltid utgör en risk för hackare att ta sig in eller anvÀnda er WordPress pÄ fel sÀtt som t.ex skicka SPAM eller göra sÄ att er hemsida ingÄr i olika botnÀt eller i virusspridning.

För mer information se https://www.wordfence.com/blog/2016/07/new-xss-vulnerability-all-in-one-seo-pack/

Kontakta mig hĂ€r för att boka möte om IT frĂ„gor pĂ„ ert företag.

Ny version av Wordfence för WordPress slÀppt idag

konsult inom backup It sÀkerhet molntjÀnster Ätersartsplaner för IT

SĂ€kerhet och WordPress

WordPress Àr en av de absolut största plattformarna idag för websidor och CMS. FramgÄngen ligger i enkelheten att sÀtta upp och alla tillÀgg och teman som finns till WordPress.

MÄnga installerar mÄnga olika tillÀgg och fÄr till sina sidor precis som de vill ha dem och tÀnker inte mer pÄ det.

I det hÀr sammanhanget kommer Wordfence tillÀgget in i bilden som ett verktyg för att fÄ larm och övervakning pÄ hur olika sÀkerhetsaspekter av ens WordPress mÄr.

Att installera Wordfence Àr enkelt och mÄnga av standardinstÀllningarna Àr bra. Det finns dock en hel del jag brukar Àndra pÄ nÀr jag installerat Wordfence.

En av de stora nyheterna i den nya versionen Àr Web Application Firewall som aktivt lyssnar efter olika typer av hacking attacker som SQL injection, XSS scripting o.s.v

Wordfence 6.11 finns att hÀmta hÀr

För de kunder jag övervakar och hanterar WordPress sÄ sköter jag sÄklart allt det dÀr.

Kontakta mig hÀr för frÄgor

#cybersecurity How to block a brute force attacks against Windows Servers, #MSExchange, Remote Desktop and more

Syspeace - intrusion prevention for Windows servers

How to block a brute force attack against Windows Servers, Exchnage Server, remote Desktop

If your server or datacenter is targeted by a brute force attack a.k.a dictionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.

However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 6,5 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Server including the webmail (OWA) and SMTP connectors, Citrix, Sharepoint,SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not constantly monitoring logfles.

On this blog, https://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

By Juha Jurvanen

%d bloggers like this: