Archives for brute force prevention. syspeace

Syspeace crashes / not starting due to database growth over 4 GB

Syspeace crashes / not starting due to database over 4 GB

Syspeace is a brute force prevention software for Windows Servers, Exchange Servers, RDS and more.

One issue with the current version of Syspeace is the scenario where the Syspeace GUI can’t be started and Syspeace crashes due to it’s database growing too large and here is why.

When the database called SCDB1.sdf (located in the Syspeace installation directory) grows above its built in limit of 4 GB, Syspeace stops working and the GUI can’t be started, nor does Syspeace block any new brute force attacks.
This is due to a limitations of database groxth and the way Syspeace stores entries within the database in the current version (2.5.2).

Here is a (blurry) picture of the error message. It’s basically a .Net error message saying that the database has grown larger than its built in limitation.

syspeace crashes database 4 gb

Solution / Workaround

The easiest way to workaround this limitation is to stop the Syspeace service and simply delete the database and set up your rules and settings again. This will mean setting up your whitelists, entering licensnumber, rules and so on.

Preparing for this scenario

It is easy to be prepared for this though. Simply export all of the Syspeace settings using the Syspeace GUI ( Export settings/ and click the “Check all” in the top right ) and keep the DefaultSettings.syspeaceSettings in the Syspeace installation folder. Remember to do this every time you apply changes to your settings.
This will ease the workaround-fix from the aspect that you only need to stop the Syspeace service,delete the database that and then restart Syspeace thus having it automatically import all of your settings.

There is also the advantage of being able to distribue the DefaultSettings.syspeaceSettings-file to other servers in case you have multiple installations or you’re planning on expanding your Syspeace usage.

Simply install Syspeace on the next server, copy the DefaultSettings.syspeaceSettings to the installation directory and your configuration is set to the same parameters as the first one, including whitelists, license number, email settings and so on.

By Juha Jurvanen

Skydda FTP Server från lösenordsattacker

Skydda FTP Server från lösenordsattacker

backup disaster recovey konituitetsplaner FTP Server IT säkerhet molntjänster syspeace
Ett vanligt sätt att ge kunder tillgång till data, eller ha sitt data hemma tillgängligt, är att sätta upp en FTP Server.
En av de vanligaste torde vara FileZilla FTP Server som är gratis eller att använda den inbyggda FTP Servern i Microsoft IIS.

Det är klokt att ytterligare säkra upp sin FTP med SSL certifikat för att skydda inloggningsinformationen från avlyssning men även om man gör detta så finna själva inkggingsporten där och hackers kommer att försöka komma åt den.

Det är även klokt att dölja vilken version av FTP man kör som ett generellt tips. dvs ta bort headerinformationen för att göra det svårare för en hacker att lista ut vilka sårbarheter som just er FTP server har.

Lösenordssattacker mot FTP

Lösenordsattacker bygger helt enkelt på principen att en hacker försöker gissa sig till ett giltigt användarnamn och lösenord med hjälp av automatiserade verktyg.
En attack kan vara allt från några hundra försök till flera tusen och även från flera hundra eller tusen IP adresser samtidigt.

I FileZilla finns ett enklare inbyggt skydd mot lösenrdsattacker på just bara FTP nivå medan det i Microsoft IIS FTP i princip inte går att skydda sig mot dessa. Se t.ex. den här artikeln om lösenordsattacker på Wndows.

Syspeace för FTP server

Med hjälp av Syspeace och medföljande s.k. detectors kan man enkelt och snabbt sätta upp sin FTP server att även skyddas av Syspeace.

Vid en attack kommer angriparens IP adress att helt låsas ute på servern från all kommunikation vilket gör att du i ett svep även skyddar alla andra tjänster som är aktiva på servern / datorn.

Som systemadministratör får du ett mail varje gång en attack låses ute med enkel och överskådlig information som från vilken IP adress och DNS namn attacken gjordes, vilket land och vilket användarnamn som de försökte använda. Här är ett exenpel på ett sånt larm

Blocked address *.*.*.* (*.*.*) [Vietnam] 2015-02-23 14:53:00 Rule used:
Type of block: FileZilla FTP
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2015-02-23 12:52:32 administrator
2015-02-23 07:56:23 admin
2015-02-23 05:02:39 guest
2015-02-20 22:09:46 anonymous
2015-02-20 22:09:45 anonymous@jufcorp.com

Syspeace detectors

Till Syspeace finns idag ett flertal färdiga detectors för FTP, IIS FTP, WordPress och även stöd för .NET , ASP , PHP för utvecklare av webbsidor som vill skydda inloggningar med hjälp av Syspeace istället för att behöva skriva all logik och historikhantering själva.

Kontakta mig för möte

Kopiera och exportera Syspeace inställningar för en ny installation

Syspeace export

backup disaster recovey kontinuitetsplaner IT säkerhet molntjänster syspeace

Syspeace har en inbyggd funktrion för att kopiera och flytta eller duplicera installationer mellan servrar då man som systemadministratör ofta vill använda ungefär samma inställningar och slippa krånga med att söka licensnycklar, mail inställningar o.s.v.
Funktionen att exportera Syspeace har funnits inbyggd sedan många versioner och används med fördel för företag och molnleverantörer med många servrar och Syspeace installationer.

Videon nedan visar hur man enkelt exporterar alla inställningar för Syspeace inklusive licensnyckeln.

Syspeace import

1. Installera Syspeace, .
2. Stoppa Syspeace tjänsten
3. Kopiera in filen defaultSettings.syspeaceSettings till katalogen där Syspeace installtion finns. (standrad är C:\Program Files\Treetop\Syspeace).
4. Starta Syspeace tjänsten.
5. Syspeace kommer automatiskt at läsa in licensen och andra inställningar från filen

Kontakta mig för möte

Server management, infrastructure and application management

How are your backups configured ?

* What are the different backup types such as Full, Differential and Incremental backups .. or maybe even Delta / Block level? What are the pros and cons of the different approaches? What are the consequences? Enough time to finish backup within your backup window? Is there different solution or can your’s be more effective?

Is it enough for a complete restore ?

* What is the minimum for backups to restore a complete system crash or just parts of it? Is there documentation on HOW to do it? Do you have systems that are interdependent and in what order should a restore be done as quickly as possible to return to normal operation again? How does your server-operative behave? Microsoft Windows, Novell NetWare, SUN Solaris, Linux .., they all behave differently at restore.

Or, is it too much backed up ?

* For instance, when restoring a Microsoft Exchange Server, certain things should be excluded that can “entangle” the restore. There are many examples and it requires know how and experience. Backing unnecessary functions and files will cost you time, space and bandwidth. Is it possible perhaps to streamline? Have you backed up a lot of unnecessary private files that occupy time and space on backups? Are your workstations and laptops backed up? If that is the case, how?

Backup log files, who reeads them and manages errors?

* Missing error messages in the backup can have dire consequenses if your critical data is not included when necessary

How are your backup stored and who has access to them ? And when ? Whos responibility is it if the go missing ?

* Remember that all of your company’s data is stored on tapes/media and with the right knowledge it can be used to do you harm.

What guidelines are in place and how they are followed?

* Are there any policies set for overwriting of tapes? From how far back in time is data supposed to be able to be restored? For how long do you have archived data? What does the law state in your case? What guidelines are decided from the top?

Communications

* Fixed connection or ADSL or another and what are the consequences? Frame Relay? Speed​​? From which provider? should there be redundancy in communication? Routing and Switching? Wireless networks and how secure is it, WEP, WPA, WPA2? VLANs in the switches? Spanning tree? Monitoring of the links?

Firewall

* What firewalls covers your needs? Hardware-based or software based? Microsoft ISA/TMG Server? Linux? FireWall1? NetScreen? Juniper? Clavister ? How should the rules be set up to block malicious traffic? Are rules also applied to outbound traffic? Should there also be a IDS/IPS system? Brute force prevention at the firewall-level or the servers? DMZ and forwarding? Who/what should have access to the firewall? How quickly can they make changes if needed?

The servers

* Will the servers be placed on a separate server network, server LAN or backbone? What is the speed, 100 Mbit, 1 Gbits or 10 Gbits? How you can optimize your speed? Should the network is divided into zones so-called subnets? What is “private IP network”? What is “public addresses”? How does DNS work and who manages it? Need of WINS? How to plan a Microsoft Active Directory or Novell NetWare NDS? Global catalog? What will/should be monitored? With what software? SNMP? Insight Manager? Microsoft SCMM? Where should alarms be sent? How should the alarm be handled?

The users

* Will users be placed on a separate network? What should they able to reach and use of the resources? Are there integrated solutions with useraccounts and Firewall rules? How do we secure the server from brute force attempts and unauthorized access

What guidelines and policies do you vae in place?

* Are there policies in place for what the users are allowd to do and access? Do you have a policy for social medias? Is bandwidth limiting an option ? Restricting sites? How do you manage laptops, VPNs, mobile phones, iPads?

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

> The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

> If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

Syspeace is now in the Microsoft Pinpoint listing

We’ve now proudly also been listed in the Microsoft Pinpoint directory.

Syspeace @ Microsoft Pinpoint

Syspeace - intrusion prevention for Windows servers

Syspeace website

Syspeace for Windows 2003 and 2012 due for release today

Syspeace Version 2 with support for Windows Server 2003 , 2008. 2008 R2 and 2012 is due for release this evening. Http://www.syspeace.com

More info on improvements and features to come.
Stay tuned.


Posted with WordPress for Android.
Juha Jurvanen
Senior IT consultant in backup, server operations, security and cloud
http://www.jufcorp.com