skydda FTP server

Massiv #bruteforce attack mot 14 miljoner #WordPress installationer i timmen.

Just nu pågår en massiv sk bruteforce attack (även kallat ordlisteattacker på svenska) mot WordPress installationer världen över. 

Bakgrunden kan vara den stora läckan av lösenord som blev publik nyligen där användarnamn och lösenord finns att läsa i klartext. 

Se mer information nedan och hur man kan skydda sin installation.

NTLM settings and other fun labs searching for missing IP adresses in eventid 4625 or trying to get RemoteAPP to work well with RD Client on iPad, Android and even Windows!

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Using SSL causes mssing IP adresses in eventid 4625 and to get them back .. disable NTLM ? Nope. Not really an option

Today I took me a lab day to actually sit down and spend time with the NTLM settings and the RDWEB and try it out on various platforms and do some more or less scientific testing.
In short, I’äm not impressed by how Micropsoft has actually implemented parts of ther stuff..

I used Windows 10, RD Client for IOS and RD Client for Android. The server infrastructure was a Windows Server 2008 R2 with valid SSL certficates for all services.

The underlying problem is basiaclly that if you use an SSL certificate for your RDP connections , failed logins aren’t correctly dispalyd , i.e. your missing IP adresses in eventid 4625. (When not using an SSL certficate , it is recorded but then your users and customers get a lot of warnings when connecting to your servers and some things just donät work very well sucha as the Webfeed for RD Web)

Syspeace is a Host Intrusion Prevention Software that uses this inormation about the source IP address to block brute force attacks against Windows Servers.

One way around this is to disable incoming NTLM traffic and sure enought , all IP addresses are recorded.

The downside is .. only “full” RDP connections will work meaning that for instance connections to a server desktop works fine but if you’re really into RemoteAPP (and that’s the way I want to go and a lot of tekkies with me) you’ll be running into problems.
And, by th way.. frankly, full desktop session don’t work either from IOS (at least remote Desktop Client 8.1.13 and my iPad, they do from Android though, same server, same username and so on)

Not even Windows really working correctly when disabling NTLM ?

I also did some testing for fun by creating a .wcx file and oddly enough. In order to get that to actually work with Windows 10 (and I’m guessing it’s the same for Windows 7 and so on ) , It just refuses to connect to the RemoteApp service if incoming NTLM is disabled.
I can howerver start a normal Desktop Session against the server so, what I would claim is that the fault is actually within RD Web and the way it handles authentication, requiring some parts to be using NTLM.
The usual RD Web login interface works so far that I can login and see the resources but I can’t start any applications from it. No errors, nothing.
If enabling NTLM, I can start the applications just fine. Once again. NTLM has to be enabled in order for full functionality 🙁

So, basically, if I change the policy settings for the RD Server not to allow incoming NTLM traffic in order to be able to actually handle a bruteforce attack and also keep track of failed logins with informaion that’s actually useful for me as a sysadmin and CSO

These are by the way the settings I’m referring to

Computer Configuration\Windows Settings\Security Settings\Security Options

– Network security: LAN Manager authentication level — Send NTLMv2 response only. Refuse LM & NTLM
– Network security: Restrict NTLM: Audit Incoming NTLM Traffic — Enable auditing for all accounts
– Network security: Restrict NTLM: Incoming NTLM traffic — Deny all accounts

Regardless of how I try, I can’t get it to work to actually add remoteapp resources (or Remote Resource Feed) neither Windows 10, nor IOS, nor Android.

So, what are the implications of this ? Does it matter ? Do we need the source IP address in 4625?

First of all, the way this is handled within Windows Server is an absolut nightmare and frankly, just usesless and I can’t see any reason for Microsoft developers to leave the IP address out when using SSL certificates or at least have another entry in the eventlog for it containg useful information.
It’s not possible to handle brute force attacks natievly within Windows Server as I’ve written about many times earlier.

The biggest problem is of course that if someone tries to bruteforce your server, then how will you stop the attack ? How do you gather evidence ?
If your’e running a larger server environment and hosting customers and so on , you’ll have no way of knowing what attempts are legitimate customers and user and which ones aren’t really.
You can hardly shut down your services can you ?

At the moment , I don’t have a good solution to this problem. Syspeace catches lots and lots of bruteforce attacks for me but these ones it can’t since it doesn’t have any IP address to block.
I’m just hoping for Microsft to actually solve this on the server side since that would be the easiest fix for them I’d say.
Of course they also neeed to get the RDP clients working for all platforms but basically it should be working with NTLM2 at least and also to log the failed logon request correctly if using an SSL certficate. Anthing else is just pure madness and stupidity to be honest and someone should get fired for not thinking ahead.

By Juha Jurvanen @ JufCorp

The anatomy of hacking attacks and a few countermeasures

konsult inom backup It säkerhet molntjänster hacking attacks

Various hacking attacks against servers and users

First of all, there are multiple types of hacker attacks and they all have different purposes.
There are also many different types of hackers and they all have cool names like “White hat” hackers and “Black hat” hacker.
The White Hat ones are usually the security experts hired at a company to check and verify the IT security measures at other companies.
The Black Hat hackers are not. They’re the ones to be afraid of.
I’m neither of them. I’m simply a consultant and the best of these guys know far more about theses things than I do but still, I thought I’d run through a few common attacks targeted to accomplish various things.

There are many reasons why an attacker wants to hack you.

It could be hacktivism and political reasons or an attempt to gain access to your server to be able to use it for hacking others (basically they want access to your CPU, RAM and disk to hide stolen data and tools, mine for Bitcoins or whatever and to have an IP address to use, not leading back to their own).
There’s a few very cool and easy ways to hide files on servers that ar more or less impossible to find such as hiding a file “behind” another file and so on.

Of course in some cases it can also be about trying to steal company secrets (industrial espionage), possibly a former (or current for that matter, internal data theft and hacking is far more common than you’d expect) discontent employee looking to sabotage or looking for revenge or in some cases, just for the fun of it to see if it can be done.

The pre-run. Checking out your site, server with portscans and bruteforce atttacks

First of all, any hacker will need to know what you’re running and what it looks like. “Know thy enemy” so to speak.
Usually a portscan of your servers will reveal quite a lot of information and there are loads of tools to do this, quietly, undetected and efficiently such as nmap or even Google actually.

In order to make it a bit more difficult for them I’d suggest you have your firewall correctly configured for blocking portscans, your servers on a DMZ and also to hide any banner revealing what software you’re running and what version. This can’t be done with all software I’m afraid but the ones that you can, please consider doing so.
For a hacker to know exactly what you’re running will only make his/her life much easier since all they do is to start
looking for any known vulnerabilities and so called exploits to that software and version.
Usually software developers have released a patch but unfortunately, a lot of software never gets updated in time due to the old “if it works, don’t fix it” attitude among a lot of server tekkies and hosting providers.

Another thing is to move all default pages and scripts (or delete them if you’re not using them) to make a bit more difficult to figure out what you’re actually running and how it is setup. Have for instance 404 error messages redirected to the start page or Google or your worst competitor and also 403 errors ..

DoS attacks and DDoS attacks and also hiding behind them.

A DoS attack is a “Denial of Service” attack which means that your server is in some way attacked and made to stop servicing your clients / users or customers the way it’s supposed to, for instance your webmail / OWA or a webshop or RDP services.

This can be accomplished in many ways. A DDoS attack is a DoS attacked but with the difference that it is a Distributed DOS attack meaning there are a lot of more computers involved in doing the attack.
These attacks often have the main purpose of taking a website down by overloading it really.

If you’ve got a web server servicing for instance a webshop and a hackergroup for some reason don’t like you, they’ll get a few hundred thousand computers around the world to ask for a specific document or picture on your website, thus overloading it so it can’t really service your customers since the server is busy handling the bogus requests.

It is not uncommon also for a hacker to hide behind these attacks to try and find out what kind of countermeasures you have in place such as Syspeace. The idea behind it is basically to became invisible in all the log noise a DDoS attack generates.

Worst case, hacking attacks such as this can actually go on for weeks and it has happened often. That is also simply an extortion. “If you pay us this and this much , your webshop will be back online again, otherwise not”. For some companies this of course could be an absolute disaster, imagine for instance around the Christmas sales.

Now, it might sound impossible to find a few hundred thousand computers to get such an attack underway. It’s not. They’re out there in botnets spread over VPS and physical machines and they’re for hire even. Including a trial run and with support.
Brave new world ..

There are ways to handle these attacks. For instance increasing the service capacity on the server, increasing you bandwidth and also have a talk with your ISP on how to mitigate the attacks if they have solutions in place for it. You could also have for instance a powerful SNORT server in front of the firewall to get rid of some of the traffic. You should also have Syspeace in place for handling the bruteforce atatcks

Poorly updated applications or neglected updates and 0day exploits

If a server is poorly updated and the application/website is sensitive for instance that the hacker simply adds some code against the webaddress trying to browse the file system on the server then this can also render in a DOS attack or even worse, the attacker gets hold of the users and administrator/ root passwords. Once they’ve got that, your pretty much ..well. you won’t be having a good day. Basically you need to make sure your webserver is always correctly updated, and you also need to make sure that the underlying file system can’t be reached from the outside more than absolutely necessary.
Make sure you checked every directory and path on the website and what actually is reachable, writeable and browsable. If you’ve got pages you don’t want indexed then hadndle that in the robots.txt or have them secured behind a user login page.If you’re running a Wordporess site, make sure you hav alarma set up for outdated plugins, changes to files and so on and and make sure to deal with it asap.

Unfortunately, from time to time there are also so called 0day exploits out in the wild and those are very hard to defend yourself against. If get alerted that there is one in the wild for your environment, please keep alert and stay on your toes until a patch is released and follow any best practices released by the vendor! This can also fall under the category viruses and trojans further down.

SQL Injections and badly formatted requests

If the website uses a SQL Server / MySQL or has any input form to validate or gather something, please make sure that the application strips away any characters that could make your server vulnerable to SQL Injections since the SQL Server is usually run with administrative rights making the SQL Server injections being run with high privileges and accessing the operating system.

If you don’t know how the application is written, please contact the developers of it and ask them and have them verify this.

For any part of the website where there are input forms, makes sure that all input is validated in terms of what characters are used and how long the input is.
If a website is poorly written and poorly validated, a memory buffer overflow can occur which basically means that the input is so large or strangely formatted that the server will stop working or even give the attacker access to the servers operating system by overwriting stuff in the RAM in a way that it’s not supposed to.

Viruses, rootkits and trojans.

If an attacker has been able to lure your users to a site that contains infected code (sometimes also called drive by hacking) and the web browser or plugins to it (Java, Adobe, Flash and so on) are sensitive to that particular infections you user might come down with an infected computer.
Depending on what actually has been infected and why the consequences vary of course.

This is often done by sending emails with links to websites or trying to get user to plug in an infected USB stick into their PC.

I’ve heard of companies that have been affected with a virus rendering them unable to work since nobody was allowed to even plug in their computers to the work networks until they could be sure they’d got rid of it. In this case it was a lot of computers so I think it took them 3 week until people actually could start working again, 3 weeks without any work. That’s a costly thing for any company.The same standstill could also come from a ransom virus, basically encrypting all your files and you’ll have to pay money to get the right decryption password.

The way to minimize such a horrible standstill is to make sure that ALL of your devices connecting to the network are properly updated with antivirus products (please do not use the free ones ..ever!) but also you need to make sure that any other software is properly updated . Java, Flash, and the operating system itself .
This also goes for workstations connecting from home and so on or otherwise you might be in for a bad day. You should also be very restrictive when it comes to letting users use USB drives and stuff. They might be infected with something.

MITM – Man in the Middle, proxies and easedropping

If you’ve got a corporate network, you want to know what devices actually are on it and why. If someone for instance sets up a computer and has all of the corporate traffic routed through (by acting a proxy) , all of your communicating is being copied and this can be done in various ways. The same goes actually for you if you’re using public WiFi hot spots which I would never recommend anyone really using. To intercept data isn’t very difficult unfortunately, especially if it isn’t protected by valid certificates.
You need to use valid SSL certificates and there’s no reason to use anything lower that 2048 encryption and you must also disable weak cipher and other stuff before your SSL is correctly set up. Check your configuartion against for instance on Qualsys SSL Labs.
Also make sure that all communications are secured within your network.

Brute force and dictionary attacks.

I’ve written loads and loads on this earlier so I won’t linger on it. A brute force or dictionary attack is basically someone trying to get access to your server by guessing the username and correct password using a large list of common passwords or a dictionary and simply trying them one by one (well, thousands at a time really since its’s automated).

To protect your servers and user you need to have a intrusion prevention system in place. For Windows Servers I recommend using Syspeace (and you can also use Sysepace for protecting web applications you’ve protected through the Syspeace API) and on Linux servers I’d have a look at fail2ban. You should also use and enforce complex passwords.

Anything that comes with a default password for logins (routers, switches, printers and so on) should have the password changed from default!
These are always sensitive to brute force attacks and there are sites on web listing thousandfs of default passwords out there

You should also have a very strict policy to immediately block an employees account as soon as they’re no longer with the company and you should be very careful with what user rights you grant your users since they can easily be misused.
You should also have software in place for managing mobile phones and other devices that your employees have and the ability to wipe them clean if they get stolen or if you suspect internal mischief from an employee.

On site data theft and social engineering.

Well. In a sense , it’s not hacking but it’s more fooling people. Not the initial part anyway.
Basically someone turns up, claiming to be from the phone company, a cleaning company, your IT support company or anything that makes sense and they want access to the data center, server room to “fix” something. This is also referred to as social engineering. First the hacker finds out as much as possible about the company they’re attacking and then use that information to gain access to workstations or servers within the company,

Once they’ve actually gained access, they’ve got USB sticks to insert into workstations or servers , either loading a software into them such as trojans or keyloggers or just something that elevates rights or maybe they’re simply after just copying the data.
It all depends on how much time they have and if they’re alone. In some scenarios it might even just be a trick for them to gain access to backup tapes since all the companys data is on them .
They could also bribe janitors, cleaning staff and so on to steal backup tapes for them since they far too often will have access to the datcenters and they’re
not that highly paid.

There are a lot of tools that can simply put on a USB stick, boot up the server and you can reset administrator passwords, overwrite systemfiles (or plant a trojan or destroy them to render the server unbootable) , steal data and so on and a lot of them are surprisingly user friendly like for instance Hiren’s BootCD

A variation of this is of course people phoning someone up, claiming to be from the IT departement or Microsoft or somewhere, wanting to “help you” with a problem and asking for remote access to your computer. Once they gain access, they’ll do same things. Plant a trojan or a virus or a keylogger and the basically own the computer.

To protect your company data please always make sure you know who and why people are on site, never have anyone come near servers without supervision or the users workstations and if possible, disable any USB ports and always use password protected screen savers.

Every device on your network must also have a good antivirus running in case someone still manages to put an infected USB stick into the workstation.
Also make sure you talk the users about the hazards of giving anyone access to their computer.

If you suspect you’ve been hacked. What to do. Contingency planning

First of all, try to verify that you have been hacked and also try to find out when. In some cases you’ll have to revert to backups taken BEFORE you we’re hacked to be sure that you don’t restore a root kit or something.
This also means your backup plans and DRP plans need to take these scenarios into account so don’t be cheap with the number of generations you actually save.
You might need something from 6 months ago.

Try to find out what happened, when it happened, how it happened and have it fixed before you allow access to the server again. There’s no sense in setting the same flawed server up again. It will only be hacked again,

Don’t be afraid to make it a matter for the police. They need to know about it and they want log files and any documentation you may have.

When you get the server up and running again (or preferably before you’ve been hacked) make sure to have monitoring set up for the server. If it’s a website for instance, you want to be alerted if anything changes on in the html code for website for instance, or if the site is responding slowly (this doesn’t have to mean you’ve been attacked but could point to other problems also such as disk problems, misconfigured server settings or ..well..anything really. In any case you want to look into it.)

So , these were only a few methods and there a loads and loads more of them .

I’ve written a few other blog articles on securing servers, data centers and on brute force prevention and here’s a few links to previous articles. Most of are copied from older blogs and I do admit I haven’t nor proofread them nor formatted them for this site yet. I will. Eventually.

Articles by Juha Jurvanen on securing your server environments

Securing server environments – Part I – Physical aspects

Securing server environments – part II – Networking

Securing your Windows servers and MSExchange with an acceptable baseline security | Syspeace – Brute force and dictionary attack prevention for Windows servers

Windows Server intrusion prevention for Cloud providers and hosting providers

Should you need consulting or ideas on these questions or on backup/restore or on building cloud services / migrating to cloud services ,
I’m reachable by clicking the link below.

Juha Jurvanen – Senior IT consultant at JufCorp”>By Juha Jurvanen – Senior IT consultant at JufCorp

Riktad lösenordsattack från Kina stoppad av Syspeace

Riktad lösenordsattack från Kina

konsult inom backup It säkerhet molntjänster återsartsplaner för IT lösenordsattack

Igår kväll började det plinga i min mail, inget ovanligt i sig eftersom jag övervakar och driftar ganska många servrar, men den här gången var det ett väldigt plingande under kort tid.

Det visar sig att några IP intervall från Kina hade bestämt sig för att utföra en större riktad lösenordsattack mot en server jag driftar i en molntjänst åt kund.

Anledningen till att jag skriver det här är just för att visa att det förekommer attacker precis hela tiden varav de flest är några enstaka försök medans andra är uppenbart riktade och någon verkligen vill ta sig in.
Oavsett storleken på attacken och hur många olika IP adresser hackern försöker döljsa sig bakom så blockeras det ändå effektivt och automatiskt av Syspeace.
Principen bakom Syspeace är enkel.

Om en IP adress misslyckas med att logga in X antal gånger under Y lång tid så blockeras den IP adress från all kommunikation under Z lång tid.

Som ett fail2ban for Windows eller denyhosts for Windows men med mer funktionalitet, stöd för fler detektorer och system och god rapportering o.s.v


De flesta attacker kommer onekligen från en specifik IP adress men även den här typen av större och uppenbart riktade attacker förekommer alltså också.
Man lever ofta i tron att små företag är ointressanta för hackers att försöka ta sig in i men tyvärr är det helt fel vilket jag tror att nedanstående logg från Syspeace visar väldigt tydligt.

De allra flesta intrångsförösk under gårdagen var alltså från just Kina , spridda över många olika IP adresser och intervall vilket tyder på en hacker med resurser och målmedvetenhet.
Utan Syspeace hade jag som tekniker / driftsansavrig inte haft en aning om att det ens pågick och än mindre något skydd mot det.
Att manuellt blockera varje enskild adress är såklart orimligt och att veta i förväg varifrån ett intrångsförösk kommer går ju sklart inte heller.

Utan effektivt skydd hade varje IP adress som attackerade kunnat gå igenom en hel ordboksattack och försökt gissa sig till ett användarnamn och lösenord dvs från ett hundratal IP adresser kunder det skickats iväg 10 000- 20 000 inlognningsförsök mot serven vilket i sin tur effektivt hade tagit väldigt mycket resurser i anspråk för servern (i näst värsta fall hade det lett till en Denial of Service) och naturligvis risken att de hade lyckats ta sig in.

Attacken upphörde för övrigt då jag antar de insåg det fanns en IDS på plats för att hantera det.

Rapport från Syspeace efter attacken

Nedan är rapprten som genererades av Syspeace.

Från: *******@*****.se
Datum:2015-07-10 00:05 (GMT+01:00)
Till: “******* @ *****” < *******@******.se>
Rubrik: Daily Syspeace report (*******.******.se, 2015-07-09)
Report for 2015-07-09

IP address Times Host name and country
——————– —– ——————————- 3; Italy (IT) 2 ; China (CN) 1; Sweden (SE) 1 VPS41074; Germany (DE) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1; Mexico (MX) 5; Colombia (CO) 1; Brazil (BR) 1 ; Singapore (SG) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN) 1 ; China (CN)

Hourly breakdown (blocks per hour)
00 x2
01 x1
02 x1
04 x2
06 x1
07 x1
08 x1
11 x1
13 x1
16 x1
19 x1
20 x1
21 x1
22 x69

Generated 2015-07-10 00:04:54 for machine *******.*******.se by Syspeace v2.5.2.0

Vill ni ha hjälp med att sätta upp ett effektivt intrångsskydd på era Windows servrar?, kontakta mig här

Hur Syspeace blockerar lösenordsattacker mot Windows – video

Hur portblockering med Syspeace stoppar lösenordsattacker mot Windows

backup disaster recovey kontinuitetsplaner IT säkerhet molntjänster syspeace

Att hantera lösenordsattacker (även kända som ordboksatacker eller brute force attacks / dictionary attacks ) mot Windows är en komplicerad historia. I själva operativet finns väldigt lite skydd mot detta , se t.ex. den här artikeln för mer information kring problemet att hantera frågan.

En del prgramvaror och webtjänster har en inbyggd hantering mot lösenordsattacker men problemet är att de bara tar hand om den egna applikationen .
Ett exempel är t.ex. WordPress eller FileZilla FTP Server.
Till båda finns möjligheten att ställa in att en attack ska stoppas från att få försöka logga in under en viss tid mot just den egna applikationen.
De kan dock inte på något sätt stoppa trafik mot andra applikationer eller tjänster som är igång på samma server som t.ex. Exchange OWA webmail elelr Remote Desktop Services.

En hacker kommer märka han blev blockerad på t.ex. FileZila Server men han kan fortfarande föröska logga in mot andra tjänster som t.ex. Exchange OWA Webmail eftersom den ju är nåbar.
På det sättet kan alltså lösenordsattacken fortsätta mot andra tjänster på samma server. Det är bara just FileZilla som inte tillåter att den IP adressen försöker logga in.

Hur Syspeace hanterar hackerattacken

Syspaece hanterar lösenordsattacker annorlunda.När en applikation eller tjänst som skyddas av Syspeace blir attackerad så komnmer attacken att stoppas mot alla tjänster på samma server .
Det innebär alltså att om man har t.ex. en FTP server och Webmail på samma server så kommer en hacker att bli helt utelåst från all kommunikation. med den servern.Attacke  spåras, rapporteras till Syspeace Global Blacklist och mailas till systemadministratören med information om varfrån attacken skedde, när, vilket användarnamn som användes och hur länge den IP adressen kommer att vara låst.

Den här demon resulterade i det här mailet till mig som sysadmin.

syspeace alert mail

Ämne :Syspeace Alert from JUFCORP\EUROPA, IP ( [Internal or reserved address] blocked until 2015-03-01 20:22:00

Blocked address ( [Internal or reserved address] 2015-03-01 20:22:00 Rule used:
Type of block: Windows login
Rule name: Catch All Login
Trigger window: 5.00:00:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2015-03-01 18:21:43 syspeacevideo
2015-03-01 18:21:40 syspeacevideo
2015-03-01 18:21:41 syspeacevideo
2015-03-01 18:21:38 syspeacevideo
2015-03-01 18:21:39 syspeacevideo


Hur Syspeace stoppar en hackeratattack

Den här videon är ett försök att visa hur det fungerar med Syspeace.

Det här är vad vi ser på skärmen:
Kontunierlig ping mot servern (högst upp till vänster)
Den lokala IP adressen (mitten)

De andra fönstren visar olika typer av inloggningar mot tjänster på den servern, i det här fallet FTP Server, SMTP på port 25, Webserver, Webmail.

Jag börjar med att visa att jag når alla tjänsterna normalt och får en inloggning normalt och kan visa websidor som är min hemsida h

Sedan startar jag medvetet en lösenordsattack med net use mot servern för att få Syspeace att hantera attacken.
När blockeringen träder i kraft så ser man hur ping slutar svara och jag når inte heller några av de andra tjänsterna jag nådde innan .
Jag som hacker är alltså helt utelåst från all kommunikation mot servern mot alla tjänster och det jag inte kan kommunicerra med kan jag inte helelr attackera.

Alla tjänster är dock fullt nåbara för alla andra så servern fungerar fortfarande precis som den ska mot kunder och anställda så de inte drababs av attacken som att få konton utelåsta eller tjänster som upphör fungera.
Jag försöer visa det genom att byta IP adress och nå tjänsterna igen vilket fngerar alldeles normalt igen

Se videon här

Kontakta mig för möte eller frågor om Syspeace

Installera skydd mot lösenordsattacker på Windows med Syspeace

Att installera och konfigurera Syspeace för Windows

backup disaster recovey konituitetsplaner IT säkerhet molntjänster syspeace

Att sätta upp skydd mot lösenordsattacker mot Windows med Syspeace är väldiigt enkelt och snabbt och finns att testa gratis i 30 dagar.

Syspeace är ett intrångsskydd för Windows som är specialiserat på att hantera lösenordsattacker / ordboksatattacker mot Windows och Windows Server. Microsoft Exchange och Exchange OWA, Terminal Server, Remote Desktop Server, Sharepoint, SQL Server och mer.

Förbereda Windows / Windows Server

I ett första steg aktiverar jag loggning av inloggningar på datorn / servern.
Nästa steg är att slå på bransdväggen på alla profiler dvs domän, privat och hemma.
Man behöver även ha senaste .Net installerat.

Ladda ner och installera Syspeace

Ladda ner Syspeace , i det här fallet från JufCorp Downloads och startar installationen. Syspeace finns även att hämta på

Skapa konto med giltig mailadress och registrera

Efter installationen gått klart startar jag Syspeace GUI, registrerar ett konto och får min licensnyckel mailad till mig och aktiverar den.

Konfigurera larm från Syspeace

Det här sista stegetr är egentligen inget krav men de flesta sätter ändå upp det för att se att det blockeras attacker.
Som ett sista steg sätter jag upp vilken mailserver jag vill använda för att få larm om blockeringar och licensinformation
Ja anger också till vilken mail adress jag vill de ska skickas och efter det är installationen av och konfigurationen av Syspeace är klart.

Syspeace är nu installerat som en Windows tjänst och kommer startas automatiskt även när datorn/serevrn startas om.
Gränssnittet är bara för att ändra inställningar som t.ex. skapa andra regler för blokeringar eller skapa rapporter med Syspeace Access Reports

Syspeace stödjer Windows 7,8,8.1,
Windows Serevr 2003, 2008, 2008 R2,2012, 2012 R2 och alla SBS (Small Business Server) versionerna av dessa.

Kontakta mig för möte

Skydda FTP Server från lösenordsattacker

Skydda FTP Server från lösenordsattacker

backup disaster recovey konituitetsplaner FTP Server IT säkerhet molntjänster syspeace
Ett vanligt sätt att ge kunder tillgång till data, eller ha sitt data hemma tillgängligt, är att sätta upp en FTP Server.
En av de vanligaste torde vara FileZilla FTP Server som är gratis eller att använda den inbyggda FTP Servern i Microsoft IIS.

Det är klokt att ytterligare säkra upp sin FTP med SSL certifikat för att skydda inloggningsinformationen från avlyssning men även om man gör detta så finna själva inkggingsporten där och hackers kommer att försöka komma åt den.

Det är även klokt att dölja vilken version av FTP man kör som ett generellt tips. dvs ta bort headerinformationen för att göra det svårare för en hacker att lista ut vilka sårbarheter som just er FTP server har.

Lösenordssattacker mot FTP

Lösenordsattacker bygger helt enkelt på principen att en hacker försöker gissa sig till ett giltigt användarnamn och lösenord med hjälp av automatiserade verktyg.
En attack kan vara allt från några hundra försök till flera tusen och även från flera hundra eller tusen IP adresser samtidigt.

I FileZilla finns ett enklare inbyggt skydd mot lösenrdsattacker på just bara FTP nivå medan det i Microsoft IIS FTP i princip inte går att skydda sig mot dessa. Se t.ex. den här artikeln om lösenordsattacker på Wndows.

Syspeace för FTP server

Med hjälp av Syspeace och medföljande s.k. detectors kan man enkelt och snabbt sätta upp sin FTP server att även skyddas av Syspeace.

Vid en attack kommer angriparens IP adress att helt låsas ute på servern från all kommunikation vilket gör att du i ett svep även skyddar alla andra tjänster som är aktiva på servern / datorn.

Som systemadministratör får du ett mail varje gång en attack låses ute med enkel och överskådlig information som från vilken IP adress och DNS namn attacken gjordes, vilket land och vilket användarnamn som de försökte använda. Här är ett exenpel på ett sånt larm

Blocked address *.*.*.* (*.*.*) [Vietnam] 2015-02-23 14:53:00 Rule used:
Type of block: FileZilla FTP
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2015-02-23 12:52:32 administrator
2015-02-23 07:56:23 admin
2015-02-23 05:02:39 guest
2015-02-20 22:09:46 anonymous
2015-02-20 22:09:45

Syspeace detectors

Till Syspeace finns idag ett flertal färdiga detectors för FTP, IIS FTP, WordPress och även stöd för .NET , ASP , PHP för utvecklare av webbsidor som vill skydda inloggningar med hjälp av Syspeace istället för att behöva skriva all logik och historikhantering själva.

Kontakta mig för möte