Syspeace Blog Posts

Syspeace vs Cyberarms – Bruteforce prevention for Windows Servers

Syspeace vs CyberarmsA few years back I had an idea about a Host Intrusion Prevention System for Windows servers. I did try to write a proof of concept myself and I did have a pretty good idea of how it should work and what mistakes to avoid.¬†I ran into a Swedish development company by coincidence and I told them about my idea, showed them som proofs of concepts and we decided to create this product together and that’s what eventually became Syspeace.

We had a perfectly fine collaboration for a few years but sad to say I’m no longer associated with Syspeace. Anyaway, this post isn’t about that really. Not getting into how I feel about that but I’m sure you can imagine.

Anyway, a German competitor called Cyberarms with their product IDDS did however actually manage to release their product just a couple of months prior to us. Our product was still in a testing phase at the time. Out of loyalty and so on, of course I stuck to using Syspeace but there were always a few things that bothered me.
For instance, when running SSL on RDP connections, the eventid 4625 in the Windows Securitylog didn’t record the source IPaddress, thus making it impossible for Syspeace to block anything. Using SSL on RDP connections and so on makes stuff fareasier if you’re hosting Terminal Servers (Remotdesktop Servers and RemoteApp servers) in regards to network security, error messages to clients and so on. It just helps you out a lot having valid SSL certificates.

Syspeace worked perfectly fine for blocking attacks when the source IP address was recorded but otherwise not.
There are a few workarounds and I have written about them earlier but none of them are really good and there are pros and cons to them. This lack of functionality (meaning Syspeace not blocking all attempts but merely the ones containing the source IP address) was always a big problem and it was intended to be fixed but they never really got around to doing so.
I’m sure they will but it has taken a long time though.

As of December 2016, Cyberarms decided to release their software as Open Source (my understanding is that they couldn’t find new investors for continuing but I don’t know really ) so of course I got curious and decided to take it for a spin.

The blocking works fine. It blocks IP addresses with their SSL/TLS agent perfectly fine and it’s free to use so why not use it?

Well. A few things to consider here though and you really might want to think about them before implementing Cyberarms IDDS on larger scale.

Syspeace vs Cyberarms

First of all , the notification email you get from Cyberarms contains far too little information for it to be useful in a¬†datacenter environment or at a Cloud Service provider. If you’re simplt protecting your PC at home, sure but if your’re¬†mmanaginfg a larger server environment it will become a nightmare.

If you get an email simply saying “The IP address xxx.xxx.xxx.xxx has been locked” and you get a few hundred of those, it’s not very useful to you as a sysadmin I’m afraid.

You need to quickly be able to see Geopgraphical information and the login name used in order to know whether it’s an actual¬†attempt to use valid usernames and access data or if it’s just an automated “background noice attack”.¬†With that said, do not underestimate those background nice attacks since they do use up resources like CPU and RAM on your¬†servers. They can also be an attempt to hide other kinds of hacking attacks simply by “hiding in the noice”.

Another thing that Cyberarms lacks is an automatic “Reset on success” feature which in essence means that if you have a¬†customer connecting to your services from behind a firewall and someone at the customer side mistypes their password, the IP¬†address will be blocked. Works as designed in both Cyberarms and Syspeace.

In Syspeace though , there is a default mechanism for also keeping track of succesful logins and with some builtin logic, actuallynot banning the IP address if someone else succeeds with their login attempt from behind that same firewall.¬†The toought behind it is of course to minimize false positives and hopefully not blocking your customers from your services.¬†It’s not foolproof but it works well enough.

In Sypeace, the rules you can set are also more flexible including parameters such as a time window. This is very useful for¬†you to catch “slow grinding” attempts meaning hackers that want to stay under the radar for products such as Syspeace and¬†Cyberarms.

Cyberarms does not have access reports built in to it like it’s built into Sysepace which from time to time can be very useful for a sysadmin.

When you starting up Cybrarms intiially, no agents are activated by default so there’s more of a “how-to” tip for you.

Cyberarms doesn’t not support Windows Server 2003, while Syspeace does.

Syspeace does have an unfortunate built in flaw at the moment making it’s database grow above it’s limit of 4 GB in some scenarios but I’m sure that will be sorted too.
Whether Syspeace (or Cyberarms for that matter) would work on Nano installations and GUIless servers is another quiestion. My guess is that they bort need to be rewritten. None of them support a central managemant interface wich would be nice to have so you don’t have to RDP yourself to each server to make changes. I’m sutre there will be such a feature in either on of them though.

Still, Cyberarms does a good job at finding attacks and here’s how I’ve started using the two in conjunction.

In all honesty, my dream scenario would have been for the two to join forces, getting the best from each product and build a great product together. In fact, I’m sure an even greater product can be built for these things and and adjacent things ¬†so if anyone’s up a for it, I’m game.I have quite a few ideas for new functionality and features for such a product already..or who knows,I might even end up being a part of the Syspeace team again.

Since IDDS is now Open Source I guess I could sit down and amp it up with the features I want to have in it but truth told,¬†I’m not a good developer really. I have ideas and I know how it should work but getting to the actual coding would just take¬†to much time for me.

Anyway … Here’s how I’m using both of them at the same time for now anyway
I have the set the block rules higher in Cyberarms than in Syspeace, therefore giving Syspeace the chance to do the initial blocking and getting better emails sent to me.

Below is an example of an email alert sent by Syspeace.

Blocked address 182.184.78.244 (SERVER-C7BF2B28) [Pakistan] 2017-02-20 10:10:00 Rule used:
Type of block: Windows login
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 04:00:00
Previous observations of this IP address:
2017-02-20 06:09:59 *****\administrator
2017-02-20 06:09:57 *****\administrator
2017-02-20 06:09:55 *****\administrator
2017-02-20 06:09:52 *****\administrator
2017-02-20 06:09:50 *****\administrator

I’ve set Cyberarms to block after a higher number of intrusion attempts than Syspeace , getting it to catch those SSL/TLS

attacks since Syspeace can’t handle them at the moment.

Below is an example of the alert sent from Cyberarms.
Client with IP address 155.207.18.189 was hard locked

As you can see, the Cyberarms email doesn’t really provide me with any useful information as a sysadmin meaning for me to actually deal with it, I need to manually find out from where the attack originated, what username was used in order to¬†decide whether it’s serious or not. Of course I could probably write something in .Net utilizing the Cyberarms logfile to get¬†better notifications with more information but that shlould be built into the software really looking more like the Syspeace alerts.

The Syspeace notification isn’t prefect either but it is far better. I would also like to see what port was targeted and what¬†process was targeted, i.e the running .exe.
That would be a quicker way for me as a Sysadmin to determine what’s really going on.

They both have Daily Reports and Weekly Reports so I thought I’d also incklude one of each from the same server and the same time window. I think you’ll noticed the difference and ralize why the SSL/TLS functionality is so crucial to have in place

Syspeace Report for week 2017-02-13 – 2017-02-19

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
23.236.77.157 1 XS2323677157; United States (US)
47.34.65.227 1 47-34-65-227.dhcp.stls.mo.charter.com; United States (US)
52.14.84.148 6 ec2-52-14-84-148.us-east-2.compute.amazonaws.com; United States (US)
73.37.131.61 1 c-73-37-131-61.hsd1.mn.comcast.net; United States (US)
89.247.148.40 1 i59f79428.versanet.de; Germany (DE)
119.59.80.66 1 119-59-80-66.rdns.afghan-wireless.com; United States (US)
151.54.163.83 1 ; Italy (IT)
183.250.25.70 1 ; China (CN)
185.94.99.245 1 ; Iran, Islamic Republic of (IR)
189.26.112.234 2 corporativo.gvt.net.br; Brazil (BR)
193.34.9.171 1 nlink.nesso.ru; Russian Federation (RU)
202.104.33.34 1 ; China (CN)
203.146.142.62 1 ; Thailand (TH)
213.87.96.182 1 host.mrdv-1.mtsnet.ru; Russian Federation (RU)
213.136.87.8 1 vms8.riseforce.net; Germany (DE)
222.184.121.194 1 ; China (CN)
222.209.233.89 1 89.233.209.222.broad.cd.sc.dynamic.163data.com.cn; China (CN)

//  I Have removed the hourly breakdown opart from this report here //

Generated 2017-02-20 00:04:58 for machine ***.****.** by Syspeace v2.5.2.0

 

Cyberarms Weekly Report
Week of 2017-2-13
Installation Information
Server: ****
Events per Agent
Agent name Intrusion attempts Soft locks Hard locks
TLS/SSL Security Agent 1238 215 82
Windows Base Security Agent 133 0 1
Total 1371 215 83
Intrusion attempts by IP address
Client IP Intrusion attempts
1.192.144.148 1
104.43.19.172 1
118.69.171.47 1
146.185.239.117 1
149.3.47.190 1
169.50.7.234 1
200.2.192.186 1
207.225.237.110 1
208.44.83.36 1
209.249.81.231 1
211.72.12.36 1
212.175.49.50 1
212.92.127.126 1
213.89.246.166 1
217.208.101.73 1
217.23.11.249 1
217.8.84.31 1
223.25.241.88 1
37.0.20.79 1
39.109.11.209 1
5.150.237.244 1
50.193.208.177 1
50.203.20.67 1
54.243.236.34 1
68.44.212.144 1
70.169.12.6 1
75.71.25.220 1
78.188.193.185 1
8.21.216.2 1
80.82.77.34 1
82.80.252.200 1
83.137.55.249 1
85.105.245.147 1
88.99.8.164 1
91.121.64.15 1
91.200.12.75 1
91.215.120.225 1
92.51.70.248 1
94.43.33.178 1
96.80.87.202 1
98.101.132.98 1
104.185.131.1 2
12.201.134.132 2
173.226.255.254 2
185.56.82.58 2
197.242.149.19 2
208.184.124.150 2
216.162.88.19 2
216.236.16.89 2
217.34.0.133 2
5.175.0.111 2
63.253.50.210 2
66.229.43.193 2
68.15.114.164 2
76.71.75.79 2
83.69.223.227 2
85.72.58.154 2
96.80.60.1 2
98.112.92.39 2
108.242.76.81 3
178.208.128.131 3
206.252.196.162 3
210.109.189.218 3
217.34.0.135 3
75.127.164.214 3
90.168.232.247 3
108.60.96.19 4
117.218.128.22 4
12.30.90.162 4
208.78.220.145 4
208.81.109.6 4
23.102.44.152 4
38.88.150.106 4
40.85.92.80 4
52.187.36.243 4
52.228.35.94 4
52.228.40.215 4
52.228.42.136 4
66.64.166.178 4
66.84.140.17 4
91.183.212.73 4
144.139.207.212 5
212.83.168.244 5
213.136.87.8 5
216.162.88.62 5
217.148.113.118 5
217.91.224.26 5
222.184.121.194 5
23.235.162.34 5
23.236.77.157 5
52.228.46.46 5
67.55.103.188 5
73.37.131.61 5
85.93.93.116 5
89.30.240.164 5
98.103.178.186 5
119.59.80.66 6
183.250.25.70 6
185.94.99.245 6
189.26.112.234 6
202.104.33.34 6
203.146.142.62 6
212.170.198.61 6
213.87.96.182 6
222.209.233.89 6
46.185.117.106 6
89.247.148.40 6
108.58.0.234 7
109.73.46.130 7
12.199.176.194 7
121.161.141.239 7
151.54.163.83 7
155.133.82.102 7
159.122.106.114 7
159.253.26.77 7
169.50.22.186 7
185.130.226.42 7
185.93.183.218 7
185.94.193.75 7
190.145.28.67 7
193.34.9.171 7
193.86.185.50 7
198.23.210.133 7
199.167.138.110 7
201.161.36.162 7
201.18.18.151 7
211.52.64.52 7
213.136.79.237 7
218.60.57.131 7
27.254.150.30 7
35.156.247.241 7
35.157.110.187 7
47.88.33.114 7
5.122.136.4 7
5.196.215.194 7
59.175.128.108 7
64.110.25.6 7
69.166.130.134 7
79.120.40.185 7
83.110.74.36 7
84.55.94.211 7
89.185.246.67 7
89.185.246.79 7
89.185.246.95 7
91.218.112.173 7
94.102.51.124 7
94.107.233.189 7
94.142.142.156 7
121.175.229.89 8
125.227.100.10 8
141.255.188.47 8
155.133.82.50 8
185.109.255.12 8
185.109.255.13 8
213.124.64.27 8
31.44.191.8 8
47.34.65.227 8
47.90.16.194 8
52.233.26.114 8
62.210.244.44 8
65.61.102.251 8
76.70.18.47 8
80.82.79.228 8
83.136.86.179 8
104.160.176.45 9
109.228.26.93 9
114.34.79.103 9
116.125.127.101 9
170.161.62.42 9
172.245.222.8 9
173.10.107.141 9
173.74.198.161 9
178.159.36.150 9
185.159.145.26 9
194.61.64.252 9
198.27.119.249 9
207.233.75.39 9
212.86.108.191 9
23.249.224.189 9
31.145.15.3 9
37.46.255.63 9
37.75.11.86 9
40.139.95.146 9
5.135.7.98 9
5.39.222.19 9
50.243.143.129 9
52.174.36.251 9
52.187.37.144 9
52.232.112.92 9
58.221.59.22 9
78.154.13.222 9
91.211.2.20 9
95.154.22.236 9
144.130.57.185 10
50.247.156.86 10
74.95.221.25 10
194.17.59.90 11
93.174.93.162 11
118.34.230.5 12
213.179.6.49 12
43.254.126.10 12
103.54.250.94 13
174.4.72.229 13
146.0.74.126 14
203.128.240.130 14
5.39.223.166 14
2.139.204.18 17
74.203.160.89 17
93.115.85.228 17
185.159.36.122 18
195.154.52.156 18
24.249.158.60 18
31.184.197.6 18
52.14.84.148 19
185.70.186.140 21
119.145.165.86 23
91.211.2.109 54
Total 1371
Soft locks by IP address
Client IP Soft locks
108.58.0.234 1
109.73.46.130 1
12.199.176.194 1
12.201.134.132 1
121.175.229.89 1
144.130.57.185 1
155.133.82.102 1
155.133.82.50 1
159.122.106.114 1
159.253.26.77 1
169.50.22.186 1
173.226.255.254 1
185.130.226.42 1
185.93.183.218 1
185.94.193.75 1
190.145.28.67 1
193.86.185.50 1
197.242.149.19 1
198.23.210.133 1
199.167.138.110 1
201.161.36.162 1
201.18.18.151 1
208.184.124.150 1
211.52.64.52 1
213.136.79.237 1
216.162.88.19 1
217.34.0.133 1
218.60.57.131 1
27.254.150.30 1
35.156.247.241 1
35.157.110.187 1
43.254.126.10 1
47.88.33.114 1
47.90.16.194 1
5.122.136.4 1
5.196.215.194 1
59.175.128.108 1
62.210.244.44 1
63.253.50.210 1
64.110.25.6 1
66.229.43.193 1
68.15.114.164 1
68.44.212.144 1
69.166.130.134 1
76.71.75.79 1
79.120.40.185 1
83.110.74.36 1
84.55.94.211 1
89.185.246.67 1
89.185.246.79 1
89.185.246.95 1
91.218.112.173 1
93.174.93.162 1
94.102.51.124 1
94.107.233.189 1
94.142.142.156 1
96.80.60.1 1
98.112.92.39 1
104.160.176.45 2
108.60.96.19 2
109.228.26.93 2
114.34.79.103 2
116.125.127.101 2
12.30.90.162 2
141.255.188.47 2
146.0.74.126 2
170.161.62.42 2
172.245.222.8 2
173.10.107.141 2
173.74.198.161 2
178.159.36.150 2
185.109.255.12 2
185.109.255.13 2
185.159.145.26 2
194.61.64.252 2
198.27.119.249 2
2.139.204.18 2
206.252.196.162 2
207.233.75.39 2
208.78.220.145 2
208.81.109.6 2
212.86.108.191 2
213.124.64.27 2
217.34.0.135 2
23.102.44.152 2
23.249.224.189 2
31.145.15.3 2
31.44.191.8 2
37.46.255.63 2
37.75.11.86 2
38.88.150.106 2
40.139.95.146 2
40.85.92.80 2
5.135.7.98 2
5.39.222.19 2
5.39.223.166 2
50.243.143.129 2
50.247.156.86 2
52.14.84.148 2
52.174.36.251 2
52.187.36.243 2
52.187.37.144 2
52.228.35.94 2
52.228.40.215 2
52.228.42.136 2
52.232.112.92 2
52.233.26.114 2
58.221.59.22 2
65.61.102.251 2
66.64.166.178 2
66.84.140.17 2
78.154.13.222 2
80.82.79.228 2
83.136.86.179 2
91.211.2.20 2
95.154.22.236 2
118.34.230.5 3
185.70.186.140 3
24.249.158.60 3
119.145.165.86 4
185.159.36.122 4
195.154.52.156 4
31.184.197.6 4
93.115.85.228 4
91.211.2.109 12
Total 215
Hard locks by IP address
Client IP Hard locks
104.160.176.45 1
104.43.19.172 1
108.60.96.19 1
109.228.26.93 1
114.34.79.103 1
116.125.127.101 1
118.34.230.5 1
118.69.171.47 1
119.145.165.86 1
12.201.134.132 1
12.30.90.162 1
170.161.62.42 1
172.245.222.8 1
173.10.107.141 1
173.226.255.254 1
173.74.198.161 1
178.159.36.150 1
185.159.145.26 1
194.61.64.252 1
197.242.149.19 1
198.27.119.249 1
2.139.204.18 1
200.2.192.186 1
207.225.237.110 1
207.233.75.39 1
208.184.124.150 1
208.78.220.145 1
208.81.109.6 1
209.249.81.231 1
212.86.108.191 1
216.162.88.19 1
217.34.0.133 1
217.34.0.135 1
223.25.241.88 1
23.102.44.152 1
23.249.224.189 1
31.145.15.3 1
37.46.255.63 1
37.75.11.86 1
38.88.150.106 1
40.139.95.146 1
40.85.92.80 1
5.135.7.98 1
5.39.222.19 1
50.193.208.177 1
50.203.20.67 1
50.243.143.129 1
50.247.156.86 1
52.174.36.251 1
52.187.36.243 1
52.187.37.144 1
52.228.35.94 1
52.228.40.215 1
52.228.42.136 1
52.232.112.92 1
54.243.236.34 1
58.221.59.22 1
63.253.50.210 1
66.64.166.178 1
66.84.140.17 1
68.15.114.164 1
78.154.13.222 1
8.21.216.2 1
91.211.2.20 1
93.115.85.228 1
95.154.22.236 1
96.80.60.1 1
98.101.132.98 1
98.112.92.39 1
185.159.36.122 2
195.154.52.156 2
31.184.197.6 2
52.14.84.148 2
91.211.2.109 6
Total 83
To configure reporting options, please use the IDDS administration software on your server.

With that said, I would recommend people using both of them in order to minimize brute force and dictionary attacks against Windows servers.

Should you need assistance or have questions, please feel free to contact me here

#cybersecurity How to block a brute force attacks against Windows Servers, #MSExchange, Remote Desktop and more

Syspeace - intrusion prevention for Windows servers

How to block a brute force attack against Windows Servers, Exchnage Server, remote Desktop

If your server or datacenter is targeted by a brute force attack a.k.a dictionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.

However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 6,5 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Server including the webmail (OWA) and SMTP connectors, Citrix, Sharepoint,SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not constantly monitoring logfles.

On this blog, https://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

By Juha Jurvanen

Syspeace crashes / not starting due to database growth over 4 GB

Syspeace crashes / not starting due to database over 4 GB

Syspeace is a brute force prevention software for Windows Servers, Exchange Servers, RDS and more.

One issue with the current version of Syspeace is the scenario where the Syspeace GUI can’t be started and Syspeace crashes due to it’s database growing too large and here is why.

When the database called SCDB1.sdf (located in the Syspeace installation directory) grows above its built in limit of 4 GB, Syspeace stops working and the GUI can’t be started, nor does Syspeace block any new brute force attacks.
This is due to a limitations of database groxth and the way Syspeace stores entries within the database in the current version (2.5.2).

Here is a (blurry) picture of the error message. It’s basically a .Net error message saying that the database has grown larger than its built in limitation.

syspeace crashes database 4 gb

Solution / Workaround

The easiest way to workaround this limitation is to stop the Syspeace service and simply delete the database and set up your rules and settings again. This will mean setting up your whitelists, entering licensnumber, rules and so on.

Preparing for this scenario

It is easy to be prepared for this though. Simply export all of the Syspeace settings using the Syspeace GUI ( Export settings/ and click the “Check all” in the top right ) and keep the DefaultSettings.syspeaceSettings in the Syspeace installation folder. Remember to do this every time you apply changes to your settings.
This will ease the workaround-fix from the aspect that you only need to stop the Syspeace service,delete the database that and then restart Syspeace thus having it automatically import all of your settings.

There is also the advantage of being able to distribue the DefaultSettings.syspeaceSettings-file to other servers in case you have multiple installations or you’re planning on expanding your Syspeace usage.

Simply install Syspeace on the next server, copy the DefaultSettings.syspeaceSettings to the installation directory and your configuration is set to the same parameters as the first one, including whitelists, license number, email settings and so on.

By Juha Jurvanen

Sad to see Cyberarms fail

Sad to see Cyberarms fail

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Today, I had a look at the Cyberarms website since I of course like to see what’s going on out there. I liked some of their ideas and I did see potential in there.

To my surprise they have decided to quit developing Cyberams and also to completely halt their operations apart from licensing renewals.

Their deficit is 250 000 euro so that saddens me of course when any business venture fails.
It’s never just a job for people in my line of work and as a business owner I do know what the owners and CEO and everyone is going through. It’s absolutely horrible with sleepless nights, feeling of failure and everything.
To develop a product and a software, especially for a new kind of thinking in terms of security, and actually getting system administrators, CEOs, CTOs and so on to realize actually that it needs to be in place isn’t easy and it’s very important to keep track of costs and also to know that development is moving forward as expected.
It’s not always a good thing to be some of the first in their field. Especially to try to make it commercially. Having the right people , business plan and everything is crucial.

Still, the need for a good and stable brute force prevention software for Windows Servers is still just as valid and important as ever. If not even more, considering all the private and public cloud solutions that are emerging. For instance, remember, Syspeace was born out of necessity from the Cloud Service rCloud Office at Red Cloud IT in Sweden.

Cyberarms will release their source code to customers with more than 250 licenses so there is always the possibility that it will be developed further but most likely only for the use at those customers inhouse and for their own needs.
To uphold a software and keep developing it when written by someone else can be very time consuming indeed and as a developer you also need to get new ideas from the guys who had the original idea.
Even though the person with the idea isn’t the same one who actually writes the code, that person is still often the one with the vision and ideas for the next level and what it should actually be.

For obvious reasons I am prone to using Syspeace but it still made me sad to see Cyberarms fail.

In the case of Cyberarms, one of the unfortunate miscalculations was that there was a free version that blocked x amount of attacks per day. The rest weren’t blocked.
For some system administrators, that was enough (I don’t really see why that would be enough . I mean , let’s block these three attacks but let these other 50 keep going but .. anyway …. ) so Cyberarms basically gave away a semi-full protection thus not getting the licenses sold needed to be able to further develop the product and to keep marketing and staff and etc.

This was also discussed in the Syspeace team as a possible way to reach out to new customers but we decided to make it a fully functional trial instead since we did see the risk in what happened to Cyberarms would happen to Syspeace too i.e. people only using the free version and being content with the semi-full functionality.

So, as sad I am to see them go, hopefully this might at least have more users and sysadmins to have a look at Syspeace for Windows Server protection. Regardless if it’s RDP, Citrix, SQL, Exchaneg OWA and more. If it’s reachable, people will try to brute force it.
The problem is there and now there’s one less security software to choose from to protect from it.

Juha Jurvanen

NTLM settings and other fun labs searching for missing IP adresses in eventid 4625 or trying to get RemoteAPP to work well with RD Client on iPad, Android and even Windows!

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Using SSL causes mssing IP adresses in eventid 4625 and to get them back .. disable NTLM ? Nope. Not really an option

Today I took me a lab day to actually sit down and spend time with the NTLM settings and the RDWEB and try it out on various platforms and do some more or less scientific testing.
In short, I’√§m not impressed by how Micropsoft has actually implemented parts of ther stuff..

I used Windows 10, RD Client for IOS and RD Client for Android. The server infrastructure was a Windows Server 2008 R2 with valid SSL certficates for all services.

The underlying problem is basiaclly that if you use an SSL certificate for your RDP connections , failed logins aren’t correctly dispalyd , i.e. your missing IP adresses in eventid 4625. (When not using an SSL certficate , it is recorded but then your users and customers get a lot of warnings when connecting to your servers and some things just don√§t work very well sucha as the Webfeed for RD Web)

Syspeace is a Host Intrusion Prevention Software that uses this inormation about the source IP address to block brute force attacks against Windows Servers.

One way around this is to disable incoming NTLM traffic and sure enought , all IP addresses are recorded.

The downside is .. only “full” RDP connections will work meaning that for instance connections to a server desktop works fine but if you’re really into RemoteAPP (and that’s the way I want to go and a lot of tekkies with me) you’ll be running into problems.
And, by th way.. frankly, full desktop session don’t work either from IOS (at least remote Desktop Client 8.1.13 and my iPad, they do from Android though, same server, same username and so on)

Not even Windows really working correctly when disabling NTLM ?

I also did some testing for fun by creating a .wcx file and oddly enough. In order to get that to actually work with Windows 10 (and I’m guessing it’s the same for Windows 7 and so on ) , It just refuses to connect to the RemoteApp service if incoming NTLM is disabled.
I can howerver start a normal Desktop Session against the server so, what I would claim is that the fault is actually within RD Web and the way it handles authentication, requiring some parts to be using NTLM.
The usual RD Web login interface works so far that I can login and see the resources but I can’t start any applications from it. No errors, nothing.
If enabling NTLM, I can start the applications just fine. Once again. NTLM has to be enabled in order for full functionality ūüôĀ

So, basically, if I change the policy settings for the RD Server not to allow incoming NTLM traffic in order to be able to actually handle a bruteforce attack and also keep track of failed logins with informaion that’s actually useful for me as a sysadmin and CSO

These are by the way the settings I’m referring to

Computer Configuration\Windows Settings\Security Settings\Security Options

‚Äď Network security: LAN Manager authentication level ‚ÄĒ Send NTLMv2 response only. Refuse LM & NTLM
‚Äď Network security: Restrict NTLM: Audit Incoming NTLM Traffic ‚ÄĒ Enable auditing for all accounts
‚Äď Network security: Restrict NTLM: Incoming NTLM traffic ‚ÄĒ Deny all accounts

Regardless of how I try, I can’t get it to work to actually add remoteapp resources (or Remote Resource Feed) neither Windows 10, nor IOS, nor Android.

So, what are the implications of this ? Does it matter ? Do we need the source IP address in 4625?

First of all, the way this is handled within Windows Server is an absolut nightmare and frankly, just usesless and I can’t see any reason for Microsoft developers to leave the IP address out when using SSL certificates or at least have another entry in the eventlog for it containg useful information.
It’s not possible to handle brute force attacks natievly within Windows Server as I’ve written about many times earlier.

The biggest problem is of course that if someone tries to bruteforce your server, then how will you stop the attack ? How do you gather evidence ?
If your’e running a larger server environment and hosting customers and so on , you’ll have no way of knowing what attempts are legitimate customers and user and which ones aren’t really.
You can hardly shut down your services can you ?

At the moment , I don’t have a good solution to this problem. Syspeace catches lots and lots of bruteforce attacks for me but these ones it can’t since it doesn’t have any IP address to block.
I’m just hoping for Microsft to actually solve this on the server side since that would be the easiest fix for them I’d say.
Of course they also neeed to get the RDP clients working for all platforms but basically it should be working with NTLM2 at least and also to log the failed logon request correctly if using an SSL certficate. Anthing else is just pure madness and stupidity to be honest and someone should get fired for not thinking ahead.

By Juha Jurvanen @ JufCorp

Troubleshooting Syspeace

Syspeace

syspeace – intrusion prevention for Windows serevr

 

<h2>From the  Troubleshooting Syspeace manual and a few new added entries   </h2>

So, as a general troubleshooting Syspeace  tip , check how your firewall is enabled and verify that it indeed is the correct network profile in there, or, enable the firewall for all three profiles.

The usual troubleshooting tips we give are described in the manual in the troubleshooting section

1. Make sure you’ve enabled the firewall (as described in Firewall), firewall enabled, prefferably on all profiles.

2. Make sure you’ve enabled the auditing (as described in Windows login detection prerequisites).

3. Verify that the server can reach https://s.syspeace.com/ping . (You should see a message saying Hello from Stockholm. and the local time of the server and recommended Syspeace version)

4. In some instances, when running Terminal Server or Remote Desktop Services there’s actually the scenario where the Windows server itself fails to obtain the source IP address of the login attempt (you can verify this by checking the Windows event log and look for Source Network Address: ) Sometimes, that entry is empty, thus disabling Syspeace from actually having anything to block. Syspeace will attempt to corroborate the IP address from some other logs. If it doesn‚Äôt find any, there is not much that Syspeace can do.

5. In any applicable firewall or antivirus software, allow Syspeace access to https://s.syspeace.com/ (port 443).

6. Verify any proxy settings, if applicable.

7. Some methods of Windows authentication actually attempts to log in several times. Two failures may be part of one log in attempt. Syspeace has no way of knowing how many attempts were intended and has to work with the actual failures. Due to counting failures instead of attempts, rules may be triggered seemingly ahead of time.

8. One way of quickly verifying functionality is to use a workstation (not whitelisted) and attack your server with the net use command from the command prompt. After the number of tries defined in the current rules, the workstation should be blocked from communicating with the server. Example of the command: net use * \server name or server IP addressanyshare /user:syspeacetester “anypassword”

9. If you want to submit logs to us, start Syspeace, go to Management ‚Üí System settings, enable logging and start the service. The log file is created in a subfolder of the Syspeace installation folder.

10. When submitting logs,
Please create a .zip file of the logfiles, include any relevant information from Windows Eventlogs (application, system and security and when applicapble, the Syspeace eventlog ) and also create a .Zip-file of the database and email them directly to the devteam . The email address can be found in the manual

11. If your server doesn’t pick up the source IP address in your eventlog , please have a look a this blog article

12. If your database has grown above the size limit of 4 GB, in the current version ( 2.5.2) you will have to manually delete the database and set up your Syspeace again. in the upcoming version this has been fixed.

by Juha Jurvanen

Brute force attacks prevention on Exchange Webmail OWA with Syspeace

Syspeace icon

Syspeace icon

Syspeace – Preventing brute force attacks against Microsoft Exchange Server and OWA Webmail

If you’re running Microsoft Exchange Server your also quite likely to have the Microsoft Exchange OWA (Webmail)
interface up & running to enable your users to use Activesync and access their email, calendars and contacts
over an easy-to-use web interface accessible over the Internet. This is just as relevant if you’re managing your
own Exchange Server or if it is a hosted Exchange at a service provider. If your provider doesn’t have a
solution for this, you may find yourself in a very difficult situation one day as explained further down.
Since the Exchange Webmail (OWA) is reachable and visible over the Internet, this of course also means that
anyone is able to try to log in to your Exchange server over the same OWA interface. They may not succeed to
login but they may try to overload your server by sending lots of login request or have your users undergo a
Denial of Service attack (a DoS attack).

Brute force attacks used as Denial of Service attacks

The OWA in itself (or does Windows Server for that matter) doesn’t have any brute force prevention mechanisms
built into it but the actual user validation is done within the Active Directory infrastructure by your domain
controller(s). Within the Microsoft line of products this is actually true for most of them such as Terminal
Server (RDS, Remote Desktop), Sharepoint, SQL Server and so on and also for Citrix since user validation is done
in the same way.
If you have for instance set up Account Lockout Policies to disable a user account after 5 failed attempts ,
anyone with knowledge of your name standards (email addrees, AD login) can basically run a script against the
server using a specicif username (or hundreds of them) and deliberatley usoing wrong passwords, thus locking the
legitimate users account and disabling them from loging in at all (in essence, they can’t even login to anything
that uses the Active Directory validation, not even their own workstations in the Office)
If such an attack is made from a single IP address, it is fairly easy to block it manually (simply block the
attack in either the external firewall or the local firewall of the Exchange server).
In reality though, this is not how such an attack occurs. Should someone really want to disrupt ypur services,
they will do this from hundreds or thousands computers at the same time and making it impossible to block
manually.

Using Syspeace as a countermeasure

With Syspeace , this is all taken care of automatically. Syspeace monitors the Windows Serevr logs for failed
login requests and if an IP address tries to login against your servers ( Exchange, Terminals Server and so on)
and fails for instance 5 times within half an hour, the IP address is automatically blocked from communicating
at all with the affected server on any level (so if you’re also running other services , they will not be able
to target them either once blocked).
Each attack is blocked, traced and reported via email that contains the source IP address, the username used,
country of origin and previous attacks from the same IP address.

Here is actually an example of how the email notification looks like (with IP address and domain name intentionally removed)
Blocked address *.*.*.* (ip-*-*-*-*.*.secureserver.net) [United States] 2015-01-14 18:45:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 4.00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2015-01-14 16:44:50 ****lab
2015-01-14 16:44:52 ****labroator
2015-01-14 12:53:44 ****ron
2015-01-14 12:53:46 ****demo
2015-01-14 12:53:48 ****canon

Syspeace also delivers daily and weekly reports of blocked threats.

Within Syspeace, there is also reporting tools for access reports, a Global Blacklist for infamous offenders and
much more.

Installing and setting up Syspeace

Setting up Syspeace is very easy and only takes a couple of minutes, without the need for changing your
infrastructure or bying very expensive dedicated hardware. Most likely , you will not even need to hire a
consultant for it.

Syspeace runs as Windows Service and support a variety of Windows Servers such as Terminal Server, Exchange Server, Sharepointm Windows Serevr 2003 to Windows Serevr 2012 R2 and more and it starts detecting brute force attacks immediately after you set it up and press the start button.

Please download a free, fully functional 30 trial from http://www.syspeace.com/free-download/download-plus-
getting-started-with-syspeace/
and see for yourself how a very big problem can be very easily solved.
Should you decide to keep using Syspeace, the licensing cost is equivalent to an antivirus product and the
licensing model is highly flexible, enabling you to decide for yourself ofor how long you wish to run Syspeace.

Syspeace - intrusion prevention for Windows servers

Syspeace website

#msexchange Brute force attacks prevention on #Webmail #OWA with #Syspeace #hacking #security

Syspeace icon

Syspeace icon

Preventing brute force attacks against Microsoft Exchange Server and OWA Webmail

If you’re running Microsoft Exchange Server your also quite likely to have the Microsoft Exchange OWA (Webmail)
interface up & running to enable your users to use Activesync and access their email, calendars and contacts
over an easy-to-use web interface accessible over the Internet. This is just as relevant if you’re managing your
own Exchange Server or if it is a hosted Exchange at a service provider. If your provider doesn’t have a
solution for this, you may find yourself in a very difficult situation one day as explained further down.
Since the Exchange Webmail (OWA) is reachable and visible over the Internet, this of course also means that
anyone is able to try to log in to your Exchange server over the same OWA interface. They may not succeed to
login but they may try to overload your server by sending lots of login request or have your users undergo a
Denial of Service attack (a DoS attack).

Brute force attacks used as Denial of Service attacks

The OWA in itself (or does Windows Server for that matter) doesn’t have any brute force prevention mechanisms
built into it but the actual user validation is done within the Active Directory infrastructure by your domain
controller(s). Within the Microsoft line of products this is actually true for most of them such as Terminal
Server (RDS, Remote Desktop), Sharepoint, SQL Server and so on and also for Citrix since user validation is done
in the same way.
If you have for instance set up Account Lockout Policies to disable a user account after 5 failed attempts ,
anyone with knowledge of your name standards (email addrees, AD login) can basically run a script against the
server using a specicif username (or hundreds of them) and deliberatley usoing wrong passwords, thus locking the
legitimate users account and disabling them from loging in at all (in essence, they can’t even login to anything
that uses the Active Directory validation, not even their own workstations in the Office)
If such an attack is made from a single IP address, it is fairly easy to block it manually (simply block the
attack in either the external firewall or the local firewall of the Exchange server).
In reality though, this is not how such an attack occurs. Should someone really want to disrupt ypur services,
they will do this from hundreds or thousands computers at the same time and making it impossible to block
manually.

Using Syspeace as a countermeasure

With Syspeace , this is all taken care of automatically. Syspeace monitors the Windows Serevr logs for failed
login requests and if an IP address tries to login against your servers ( Exchange, Terminals Server and so on)
and fails for instance 5 times within half an hour, the IP address is automatically blocked from communicating
at all with the affected server on any level (so if you’re also running other services , they will not be able
to target them either once blocked).
Each attack is blocked, traced and reported via email that contains the source IP address, the username used,
country of origin and previous attacks from the same IP address.

Here is actually an example of how the email notification looks like (with IP address and domain name intentionally removed)
Blocked address *.*.*.* (ip-*-*-*-*.*.secureserver.net) [United States] 2015-01-14 18:45:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 4.00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2015-01-14 16:44:50 ****lab
2015-01-14 16:44:52 ****labroator
2015-01-14 12:53:44 ****ron
2015-01-14 12:53:46 ****demo
2015-01-14 12:53:48 ****canon

Syspeace also delivers daily and weekly reports of blocked threats.

Within Syspeace, there is also reporting tools for access reports, a Global Blacklist for infamous offenders and
much more.

Installing and setting ups Syspeace

Setting up Syspeace is very easy and only takes a couple of minutes, without the need for changing your
infrastructure or bying very expensive dedicated hardware. Most likely , you will not even need to hire a
consultant for it.

Syspeace runs as Windows Service and support a variety of Windows Servers such as Terminal Server, Exchange Server, Sharepointm Windows Serevr 2003 to Windows Serevr 2012 R2 and more and it starts detecting brute force attacks immediately after you set it up and press the start button.

Please download a free, fully functional 30 trial from http://www.syspeace.com/free-download/download-plus-
getting-started-with-syspeace/
and see for yourself how a very big problem can be very easily solved.
Should you decide to keep using Syspeace, the licensing cost is equivalent to an antivirus product and the
licensing model is highly flexible, enabling you to decide for yourself ofor how long you wish to run Syspeace.

Syspeace - intrusion prevention for Windows servers

Syspeace website

Syspeace, SHA-2 certificates and Windows Server 2003 | Syspeace

http://www.syspeace.com/news/syspeace,-sha-2-certificates-and-windows-server-2003/

#infosec How to block an ongoing dictionary attack / brute force attack against Windows Servers, #MSexchange and more

Syspeace - intrusion prevention for Windows servers

Syspeace website

How to block an intrusion attack against Windows Servers for free

If your server or datacenter is targeted by a brute force attack a.k.a dicttionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.
However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 3.6 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simmply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Serevr including the webmail (OWA) , Citrix, Sharepoint,
SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not¬† constantly monitoring logfles.

On this blog, http://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

%d bloggers like this: