Archives for cloud security

Pågående massiv #bruteforce attack mot primärt Windows server system från #USA

JufCorp AB hjälper företag och föreningar med frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace

Pågående massiv #bruteforce attack mot primärt Windows server system från #USA

 

Som kuriosa tänkte jag nämna en massiv s.k. Brute Force attack / Dictionary attack (på svenska kallad ordboksattack) som pågår just nu med ursprung i USA och som verkar rikta in sig mot asvenska servrar (ett flertal av mina kunder har drabbats).
Den är inte att blanda ihop med den massiva #WannaCrypt attacken som handlar ransomvirus utan är en helt annan typ av attack där inkräktaren försöker att gissa sig till användarnamn och lösenord eller bara att överbelasta servrarna med felaktiga inloggningsförsök.

En gemensam nämnare i just den här attacken är att de använder sig av inloggningsdomänen som inloggningsnamn.
Nedan är en lista på “dagens skörd” av blockerade IP adresser som intrångsskydden blockerat på en enda servrar mellan midnatt och 13:30 hittills idag .

För att se om ni är drabbade, kontrollera Windows Security log.

Om ni är drabbade är ni naturligtvis välkomna att kontakta mig här för hjälp med att hantera attacken eller för att skydda er mot kommande attacker

IP address Times Host name and country
——————– —– ——————————-
5.102.141.94 2 rev-94.141.102.5.tribion.com; Netherlands (NL)
5.103.29.79 2 static-5-103-29-79.fibianet.dk; Denmark (DK)
5.144.158.193 2 ; United Kingdom (GB)
8.3.64.82 2 mail.sharpcnc.com; United States (US)
8.23.71.66 2 BJP2U36T-PC; United States (US)
8.27.164.197 2 ip-8-27-164-197.trucom.com; United States (US)
12.163.187.130 2 ; United States (US)
12.177.217.60 2 ; United States (US)
12.219.206.146 2 ; United States (US)
12.250.27.210 2 ; United States (US)
13.65.24.104 2 ; United States (US)
13.67.181.161 2 ; United States (US)
13.68.88.62 2 ; United States (US)
13.68.92.114 2 ; United States (US)
18.159.7.137 2 koch-six-forty-eight.mit.edu; United States (US)
23.25.213.172 2 23-25-213-172-static.hfc.comcastbusiness.net; United States (US)
23.227.200.187 2 ; United States (US)
24.13.84.17 2 c-24-13-84-17.hsd1.il.comcast.net; United States (US)
24.45.36.135 2 ool-182d2487.dyn.optonline.net; United States (US)
24.47.123.214 2 ool-182f7bd6.dyn.optonline.net; United States (US)
24.136.114.234 2 rrcs-24-136-114-234.nyc.biz.rr.com; United States (US)
24.172.55.54 2 fbiconstruction.com; United States (US)
24.204.55.66 2 mail.jtparkerclaims.com; United States (US)
24.248.203.94 2 wsip-24-248-203-94.ks.ks.cox.net; United States (US)
24.248.223.50 2 wsip-24-248-223-50.ks.ks.cox.net; United States (US)
27.74.243.108 2 tsgw.rcasp.se; Vietnam (VN)
34.192.198.19 2 ec2-34-192-198-19.compute-1.amazonaws.com; United States (US)
37.252.129.11 2 ; Switzerland (CH)
40.71.27.108 2 ; United States (US)
40.76.37.25 2 ; United States (US)
40.86.191.167 2 ; United States (US)
40.135.9.233 2 h233.9.135.40.static.ip.windstream.net; United States (US)
45.17.245.230 2 45-17-245-230.lightspeed.hstntx.sbcglobal.net; United States (US)
45.20.208.49 2 45-20-208-49.lightspeed.rlghnc.sbcglobal.net; United States (US)
45.32.160.56 2 45.32.160.56.vultr.com; United States (US)
45.40.139.116 2 ip-45-40-139-116.ip.secureserver.net; United States (US)
45.63.4.229 2 45.63.4.229.vultr.com; United States (US)
46.231.187.166 2 ; United Kingdom (GB)
47.21.46.106 2 ool-2f152e6a.static.optonline.net; United States (US)
47.23.136.187 2 ool-2f1788bb.static.optonline.net; United States (US)
47.146.183.166 2 ; United States (US)
47.180.64.184 2 static-47-180-64-184.lsan.ca.frontiernet.net; United States (US)
50.47.72.226 2 50-47-72-226.evrt.wa.frontiernet.net; United States (US)
50.73.101.155 2 50-73-101-155-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.16.81 2 50-76-16-81-static.hfc.comcastbusiness.net; United States (US)
50.76.63.221 2 50-76-63-221-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.167.3 2 50-76-167-3-static.hfc.comcastbusiness.net; United States (US)
50.76.202.210 2 50-76-202-210-static.hfc.comcastbusiness.net; United States (US)
50.77.83.137 2 50-77-83-137-static.hfc.comcastbusiness.net; United States (US)
50.77.201.132 2 50-77-201-132-static.hfc.comcastbusiness.net; United States (US)
50.79.7.213 2 50-79-7-213-static.hfc.comcastbusiness.net; United States (US)
50.79.105.34 2 50-79-105-34-static.hfc.comcastbusiness.net; United States (US)
50.192.13.145 2 50-192-13-145-static.hfc.comcastbusiness.net; United States (US)
50.192.141.193 2 50-192-141-193-static.hfc.comcastbusiness.net; United States (US)
50.196.247.193 2 50-196-247-193-static.hfc.comcastbusiness.net; United States (US)
50.197.82.185 2 50-197-82-185-static.hfc.comcastbusiness.net; United States (US)
50.198.160.161 2 50-198-160-161-static.hfc.comcastbusiness.net; United States (US)
50.199.237.34 2 50-199-237-34-static.hfc.comcastbusiness.net; United States (US)
50.203.190.178 2 mail.intermediagroup.org; United States (US)
50.205.10.174 2 50-205-10-174-static.hfc.comcastbusiness.net; United States (US)
50.205.117.51 2 50-205-117-51-static.hfc.comcastbusiness.net; United States (US)
50.233.197.222 2 50-233-197-222-static.hfc.comcastbusiness.net; United States (US)
50.240.252.205 2 50-240-252-205-static.hfc.comcastbusiness.net; United States (US)
50.241.38.49 2 50-241-38-49-static.hfc.comcastbusiness.net; United States (US)
50.243.129.194 2 50-243-129-194-static.hfc.comcastbusiness.net; United States (US)
50.248.123.221 2 50-248-123-221-static.hfc.comcastbusiness.net; United States (US)
50.254.34.165 2 50-254-34-165-static.hfc.comcastbusiness.net; United States (US)
50.254.133.245 2 50-254-133-245-static.hfc.comcastbusiness.net; United States (US)
52.5.139.105 2 ec2-52-5-139-105.compute-1.amazonaws.com; United States (US)
52.6.224.229 2 ec2-52-6-224-229.compute-1.amazonaws.com; United States (US)
52.23.118.225 2 ec2-52-23-118-225.compute-1.amazonaws.com; United States (US)
52.26.151.34 2 ec2-52-26-151-34.us-west-2.compute.amazonaws.com; United States (US)
52.39.168.186 2 ec2-52-39-168-186.us-west-2.compute.amazonaws.com; United States (US)
52.70.19.127 2 ec2-52-70-19-127.compute-1.amazonaws.com; United States (US)
52.73.103.93 2 ec2-52-73-103-93.compute-1.amazonaws.com; United States (US)
52.89.217.62 2 ec2-52-89-217-62.us-west-2.compute.amazonaws.com; United States (US)
52.168.20.3 2 RACESA; United States (US)
52.168.86.1 2 RACESA; United States (US)
52.170.39.1 2 ; United States (US)
52.173.17.163 2 ; United States (US)
52.200.66.163 2 ec2-52-200-66-163.compute-1.amazonaws.com; United States (US)
54.83.47.75 2 ec2-54-83-47-75.compute-1.amazonaws.com; United States (US)
54.86.14.226 2 ec2-54-86-14-226.compute-1.amazonaws.com; United States (US)
54.149.137.41 2 ec2-54-149-137-41.us-west-2.compute.amazonaws.com; United States (US)
54.157.197.20 2 ec2-54-157-197-20.compute-1.amazonaws.com; United States (US)
54.173.247.253 2 ec2-54-173-247-253.compute-1.amazonaws.com; United States (US)
54.243.64.201 2 ec2-54-243-64-201.compute-1.amazonaws.com; United States (US)
64.19.195.138 2 64-19-195-138.c7dc.com; United States (US)
64.40.136.36 2 ; United States (US)
64.60.63.18 2 64-60-63-18.static-ip.telepacific.net; United States (US)
64.61.65.67 2 static-64-61-65-67.isp.broadviewnet.net; United States (US)
64.135.85.4 2 mail.mmpusa.com; United States (US)
64.203.121.118 2 static-64-203-121-118.static; United States (US)
65.25.200.33 2 cpe-65-25-200-33.new.res.rr.com; United States (US)
65.26.224.113 2 cpe-65-26-224-113.wi.res.rr.com; United States (US)
65.35.122.111 2 65-35-122-111.res.bhn.net; United States (US)
65.51.130.102 2 41338266.cst.lightpath.net; United States (US)
65.184.92.138 2 cpe-65-184-92-138.sc.res.rr.com; United States (US)
66.103.3.246 2 ; United States (US)
66.161.214.122 2 cvg-partners.static.fuse.net; United States (US)
66.172.199.188 2 static.longlines.com; United States (US)
66.194.51.146 2 66-194-51-146.static.twtelecom.net; United States (US)
66.199.16.130 2 asg.sbc.net; United States (US)
66.207.228.204 2 vancestmed1.intrstar.net; United States (US)
67.52.39.30 2 rrcs-67-52-39-30.west.biz.rr.com; United States (US)
67.135.195.250 2 67-135-195-250.dia.static.qwest.net; United States (US)
67.136.185.218 2 ; United States (US)
67.177.69.207 2 c-67-177-69-207.hsd1.al.comcast.net; United States (US)
67.182.27.250 2 c-67-182-27-250.hsd1.ca.comcast.net; United States (US)
67.199.46.32 2 ; United States (US)
67.210.56.23 2 ; United States (US)
68.10.137.200 2 ip68-10-137-200.hr.hr.cox.net; United States (US)
68.34.50.181 2 c-68-34-50-181.hsd1.mi.comcast.net; United States (US)
68.129.33.18 2 static-68-129-33-18.nycmny.fios.verizon.net; United States (US)
68.198.150.65 2 ool-44c69641.dyn.optonline.net; United States (US)
69.19.187.134 2 69-19-187-134.static-ip.telepacific.net; United States (US)
69.77.156.178 2 69-77-156-178.static.skybest.com; United States (US)
69.87.217.243 2 CLOUD-89T44LGN2; United States (US)
69.125.1.18 2 ool-457d0112.dyn.optonline.net; United States (US)
69.160.54.11 2 WEB2012; United States (US)
69.174.171.150 2 c185915-v3292-01-static.csvlinaa.metronetinc.net; United States (US)
69.193.209.138 2 rrcs-69-193-209-138.nyc.biz.rr.com; United States (US)
70.60.5.210 2 rrcs-70-60-5-210.central.biz.rr.com; United States (US)
70.89.79.211 2 70-89-79-211-georgia.hfc.comcastbusiness.net; United States (US)
70.90.200.250 2 70-90-200-250-albuquerque.hfc.comcastbusiness.net; United States (US)
70.90.212.126 2 70-90-212-126-saltlake.hfc.comcastbusiness.net; United States (US)
70.169.140.124 2 wsip-70-169-140-124.hr.hr.cox.net; United States (US)
70.171.217.25 2 ip70-171-217-25.tc.ph.cox.net; United States (US)
70.182.31.80 2 wsip-70-182-31-80.fv.ks.cox.net; United States (US)
70.182.247.14 2 wsip-70-182-247-14.ks.ks.cox.net; United States (US)
71.43.115.10 2 rrcs-71-43-115-10.se.biz.rr.com; United States (US)
71.95.178.34 2 71-95-178-34.static.mtpk.ca.charter.com; United States (US)
71.125.51.247 2 pool-71-125-51-247.nycmny.fios.verizon.net; United States (US)
71.126.153.21 2 static-71-126-153-21.washdc.fios.verizon.net; United States (US)
71.174.248.106 2 static-71-174-248-106.bstnma.fios.verizon.net; United States (US)
71.186.195.114 2 static-71-186-195-114.bflony.fios.verizon.net; United States (US)
71.189.243.4 2 static-71-189-243-4.lsanca.fios.frontiernet.net; United States (US)
71.191.80.42 2 static-71-191-80-42.washdc.fios.verizon.net; United States (US)
71.207.69.236 2 c-71-207-69-236.hsd1.pa.comcast.net; United States (US)
71.224.178.158 2 c-71-224-178-158.hsd1.pa.comcast.net; United States (US)
72.16.147.58 2 72-16-147-58.customerip.birch.net; United States (US)
72.38.44.180 2 d72-38-44-180.commercial1.cgocable.net; Canada (CA)
72.82.230.95 2 static-72-82-230-95.cmdnnj.fios.verizon.net; United States (US)
72.167.43.200 2 ip-72-167-43-200.ip.secureserver.net; United States (US)
72.174.248.122 2 host-72-174-248-122.static.bresnan.net; United States (US)
72.204.63.192 2 ip72-204-63-192.fv.ks.cox.net; United States (US)
72.215.140.252 2 wsip-72-215-140-252.pn.at.cox.net; United States (US)
72.215.215.20 2 wsip-72-215-215-20.no.no.cox.net; United States (US)
72.227.80.102 2 cpe-72-227-80-102.maine.res.rr.com; United States (US)
72.253.213.131 2 ; United States (US)
73.69.143.242 2 c-73-69-143-242.hsd1.ma.comcast.net; United States (US)
73.71.29.17 2 c-73-71-29-17.hsd1.ca.comcast.net; United States (US)
73.142.239.31 2 c-73-142-239-31.hsd1.ct.comcast.net; United States (US)
73.146.72.35 2 c-73-146-72-35.hsd1.in.comcast.net; United States (US)
73.189.105.76 2 c-73-189-105-76.hsd1.ca.comcast.net; United States (US)
73.208.34.64 2 c-73-208-34-64.hsd1.in.comcast.net; United States (US)
74.92.21.17 2 74-92-21-17-newengland.hfc.comcastbusiness.net; United States (US)
74.93.101.9 2 remote.youthfulinnovations.com; United States (US)
74.116.23.151 2 smoke2.bgglobal.net; United States (US)
74.118.182.77 2 res.anniversaryinn.com; United States (US)
74.143.195.146 2 rrcs-74-143-195-146.central.biz.rr.com; United States (US)
75.146.75.109 2 75-146-75-109-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.146.145.189 2 75-146-145-189-stlouispark.mn.minn.hfc.comcastbusiness.net; United States (US)
75.147.156.185 2 75-147-156-185-naples.hfc.comcastbusiness.net; United States (US)
75.149.28.17 2 75-149-28-17-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.30.201 2 75-149-30-201-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.129.98 2 75-149-129-98-connecticut.hfc.comcastbusiness.net; United States (US)
75.150.153.121 2 75-150-153-121-philadelphia.hfc.comcastbusiness.net; United States (US)
75.151.22.138 2 75-151-22-138-michigan.hfc.comcastbusiness.net; United States (US)
81.149.32.248 2 host81-149-32-248.in-addr.btopenworld.com; United Kingdom (GB)
81.149.160.149 2 host81-149-160-149.in-addr.btopenworld.com; United Kingdom (GB)
81.184.4.81 2 81.184.4.81.static.user.ono.com; Spain (ES)
82.70.235.49 2 mail.o-mills.co.uk; United Kingdom (GB)
82.152.42.172 2 ; United Kingdom (GB)
82.163.78.211 2 deals0.outdoor-survival-deals.com; United Kingdom (GB)
84.253.23.243 2 243.23.253.84.static.wline.lns.sme.cust.swisscom.ch; Switzerland (CH)
89.107.57.168 2 CLOUD-CBNJJIKJU; United Kingdom (GB)
93.174.93.162 2 no-reverse-dns-configured.com; Seychelles (SC)
94.173.101.19 2 fpc88091-dund16-2-0-cust18.16-4.static.cable.virginm.net; United Kingdom (GB)
95.143.66.10 2 cpe-et001551.cust.jaguar-network.net; France (FR)
96.2.4.59 2 96-2-4-59-dynamic.midco.net; United States (US)
96.48.86.169 2 s0106002719d04b85.vf.shawcable.net; Canada (CA)
96.56.31.221 2 ool-60381fdd.static.optonline.net; United States (US)
96.56.105.10 2 ool-6038690a.static.optonline.net; United States (US)
96.80.174.85 2 96-80-174-85-static.hfc.comcastbusiness.net; United States (US)
96.80.253.177 2 96-80-253-177-static.hfc.comcastbusiness.net; United States (US)
96.83.33.185 2 96-83-33-185-static.hfc.comcastbusiness.net; United States (US)
96.83.155.97 2 96-83-155-97-static.hfc.comcastbusiness.net; United States (US)
96.85.147.121 2 96-85-147-121-static.hfc.comcastbusiness.net; United States (US)
96.86.193.203 2 96-86-193-203-static.hfc.comcastbusiness.net; United States (US)
96.87.90.37 2 96-87-90-37-static.hfc.comcastbusiness.net; United States (US)
96.89.250.225 2 96-89-250-225-static.hfc.comcastbusiness.net; United States (US)
96.91.83.141 2 96-91-83-141-static.hfc.comcastbusiness.net; United States (US)
96.91.100.241 2 mail.holidayorg.com; United States (US)
96.91.120.121 2 96-91-120-121-static.hfc.comcastbusiness.net; United States (US)
96.93.179.141 2 96-93-179-141-static.hfc.comcastbusiness.net; United States (US)
96.95.3.53 2 96-95-3-53-static.hfc.comcastbusiness.net; United States (US)
96.248.216.162 2 static-96-248-216-162.nrflva.fios.verizon.net; United States (US)
96.250.18.213 2 pool-96-250-18-213.nycmny.fios.verizon.net; United States (US)
96.254.199.133 2 static-96-254-199-133.tampfl.fios.frontiernet.net; United States (US)
97.64.238.118 2 97-64-238-118.client.mchsi.com; United States (US)
97.74.229.216 2 ip-97-74-229-216.ip.secureserver.net; United States (US)
98.209.200.34 2 c-98-209-200-34.hsd1.mi.comcast.net; United States (US)
100.8.29.162 2 static-100-8-29-162.nwrknj.fios.verizon.net; United States (US)
100.12.162.203 2 mail.comjem.com; United States (US)
104.187.243.229 2 104-187-243-229.lightspeed.lnngmi.sbcglobal.net; United States (US)
104.207.135.1 2 104.207.135.1.vultr.com; United States (US)
107.180.77.25 2 ip-107-180-77-25.ip.secureserver.net; United States (US)
108.20.79.148 2 pool-108-20-79-148.bstnma.fios.verizon.net; United States (US)
108.39.247.102 2 pool-108-39-247-102.pitbpa.fios.verizon.net; United States (US)
108.53.118.53 2 pool-108-53-118-53.nwrknj.fios.verizon.net; United States (US)
108.58.195.45 2 ool-6c3ac32d.static.optonline.net; United States (US)
108.60.201.195 2 ; United States (US)
108.61.251.119 2 108.61.251.119.vultr.com; Australia (AU)
108.207.58.163 2 108-207-58-163.lightspeed.lnngmi.sbcglobal.net; United States (US)
109.169.19.116 2 ; United Kingdom (GB)
122.226.196.254 2 ; China (CN)
128.59.46.66 2 dyn-128-59-46-66.dyn.columbia.edu; United States (US)
131.156.136.114 2 ; United States (US)
132.160.48.210 2 ; United States (US)
144.202.132.50 2 144-202-132-50.baltimoretechnologypark.com; United States (US)
146.255.7.75 2 ; United Kingdom (GB)
148.74.244.26 2 ool-944af41a.dyn.optonline.net; United States (US)
162.17.170.225 2 mail.architecturalsheetmetal.com; United States (US)
162.230.118.128 2 162-230-118-128.lightspeed.sntcca.sbcglobal.net; United States (US)
162.231.82.33 2 adsl-162-231-82-33.lightspeed.irvnca.sbcglobal.net; United States (US)
162.246.155.16 2 ; United States (US)
166.62.43.55 2 ip-166-62-43-55.ip.secureserver.net; United States (US)
172.87.144.170 2 rrcs-172-87-144-170.sw.biz.rr.com; United States (US)
172.95.25.4 2 ; United States (US)
173.8.227.70 2 173-8-227-70-denver.hfc.comcastbusiness.net; United States (US)
173.10.137.213 2 173-10-137-213-busname-washingtondc.hfc.comcastbusiness.net; United States (US)
173.12.152.209 2 mail.bfbarchitects.com; United States (US)
173.13.72.50 2 outbound.oceanedge.com; United States (US)
173.14.78.21 2 173-14-78-21-sacramento.hfc.comcastbusiness.net; United States (US)
173.14.220.253 2 173-14-220-253-atlanta.hfc.comcastbusiness.net; United States (US)
173.26.48.212 2 173-26-48-212.client.mchsi.com; United States (US)
173.48.246.52 2 pool-173-48-246-52.bstnma.fios.verizon.net; United States (US)
173.160.91.10 2 173-160-91-10-atlanta.hfc.comcastbusiness.net; United States (US)
173.161.162.68 2 173-161-162-68-philadelphia.hfc.comcastbusiness.net; United States (US)
173.161.224.209 2 173-161-224-209-philadelphia.hfc.comcastbusiness.net; United States (US)
173.193.164.178 2 b2.a4.c1ad.ip4.static.sl-reverse.com; United States (US)
173.197.34.18 2 rrcs-173-197-34-18.west.biz.rr.com; United States (US)
173.220.18.197 2 ool-addc12c5.static.optonline.net; United States (US)
184.16.110.66 2 ; United States (US)
184.176.201.40 2 aexec.com; United States (US)
184.183.152.219 2 wsip-184-183-152-219.ph.ph.cox.net; United States (US)
185.52.248.40 2 ; Germany (DE)
185.129.148.169 2 ; Latvia (LV)
192.198.250.202 2 rrcs-192-198-250-202.sw.biz.rr.com; United States (US)
199.96.115.98 2 ; United States (US)
204.193.139.81 2 ; United States (US)
206.145.187.193 2 morriselectronics.net; United States (US)
208.38.233.43 2 c187290-03-v3409-static.nmchinaa.metronetinc.net; United States (US)
208.75.244.130 2 mail.aisin-electronics.com; United States (US)
208.105.170.100 2 rrcs-208-105-170-100.nys.biz.rr.com; United States (US)
208.180.181.72 2 208-180-181-72.mdlncmtk01.com.sta.suddenlink.net; United States (US)
209.240.184.73 2 OGKCPIPE.nwol.net; United States (US)
213.109.80.18 2 s-213-109-80-18.under.net.ua; Ukraine (UA)
216.81.103.42 2 ; United States (US)
216.170.126.36 2 ; United States (US)
216.176.177.92 2 ; United States (US)

A new brute force protection platform – Are you up for it ?

brute force protection
I firmly believe there’s a need for good brute force protection products. The ones currently available simply aren’t good enough for larger corporate needs or Cloud Service Providers really or they’re too expensive and complicated to use..

Some possible improvements are already out there for some of them such as Cyberarms going Open Source. At the time I helped start up Syspeace, I would say that Cyberarms was the main competitor and I was really surprised and sad they eventually decided to end their business.

With that said, there’s a good foundation using their code and improving it and modernizing it because there’s a lot of critical things missing in there in order to actually be useful for enterprises the way I see it. Actually, quite a few and there needs to be new functionality in there too. Not really disclosing my thoughts here about it though.

The ways to go about this, the way I see anyway, is to …

Open Source and brute force prevention

… sit down and have a close look at for instance the Cyberarms code and help out as an Open Source developer and try to get a product that’s free and beneficial for everyone.
The downside to that is, as with most Open Source, that if you’re a system administrator and something doesn’t work, you might want to have access to an actual support, helpdesk and getting help in troubleshooting. You also may want to be assured that development will continue.
You simply don’t have the time to search forums or read through the code to try and figure out what’s wrong or how to improve it and often enough, system administrators aren’t developers. I know I’m not very good at writing code myself anyway.

There’s also the risk of people coding losing the interest of an Open Source project, since they don’t make any money out of it and eventually start feeling they’re just wasting free time, resulting in that the product will eventually just die or stay stagnant and eventually become obsolete.

Creating a new brute force protection platform as a business idea

The second path would be to start up a new project with developers, marketing people and investors to actually build a product that is useful for enterprises and cloud providers and so on. Such a product needs to have quite a lot of functionality added compared to the ones that are already out there but with the right people and effort, it can be done. I’m absolutely sure of it.
These new ideas and functionalities are probably best provided by people who actually deal with these questions on a day to day basis i.e System Administrators, Server Managers and so on…

As you may or may not know I was previously deeply involved in the creation and startup of Syspeace.
I had the original idea for a brute force protection software and was a part of most aspects it but unfortunately we just couldn’t agree on what was reasonable on the business side of it once our initial agreement ended so I decided to go with the “live and let die” policy.
It basically just took too much energy from me to haggle and not getting anywhere really and frankly, the project had become stagnant the way I saw it so consider this plan B.

The future then? Can it be made viable as a business idea?

Basically what I’m driving at is this, are there the right people out there? Anyone up for starting up a new project and try to create an even better brute force protection and security platform with me?
I have already had a few feelers with other companies and there is an interest to be part of such a project. The best scenario would probably be to get in touch with a development company that already has developers and want to broaden their portfolio with a security product but on the other hand, it can be a very small staff of people doing it too.

I’m not opposed to investing myself also and since I know the finances behind such a product and what it can generate I have a reason to believe in it, both technically and businesswise.
Remember, the market is worldwide. It’s not geographically confined and that’s why I’m actually writing this in English, although for me personally, the startup of such a project would be easier if it were in Sweden. I’m. just thinking practically.

I’ve already done it once and I believe it can be done again but even better. I’ve already seen the mistakes so to speak.
Of course, there are other ways too, such as Crowdfunding and FundedByMe and all that but I firmly believe not only do you have to have the finances settled but also be sure to have the right people involved, willing to invest their time and focus.

At the moment it’s just a thought from my side and nothing has really taken any shape (apart from registering a domain for it really) but I would hate to throw away all the ideas, knowledge and experience I have around such a project. I think I have a pretty good inkling of budgets, the business side and of course the technical aspects and functionality of what such a product should be.

So, if you’re up for it, just contact me or give me call and say hi and we’ll take it from there?

I think the time would be more or less now because I’m certain there’s stuff going on in other places too so in order to get a product up and running and get market shares, this would be the time to do it.

[contact-form-7 id=”1633″ title=”Namnlös”]

2 years ago

JufCorp

"Vi har skapat ett verktyg för att skapa lokala ikoner för enheter , göra så att man högerklicka på filer/kataloger i rCloud och få ner dem direkt till den lokala enheten. De lokala enheterna heter alltid R: i Molnet och kan vara Windows, Android eller MAC. Filer hamna på lite olika ställen beroende på vilket du är uppkopplad med (Molnet känner av dynamiskt vilken enhet du är inloggad med dvs du kan vara inloggad med en Windows dator på jobbet och hemma med en Android och skicka filer till dem) [ 59 more words ]

www.jufcorp.com/wordpress/molntjansten-rcloud-office-forenklar-kopplingar-mot-lokala-enheter-med-...
...

View on Facebook

2 years ago

JufCorp

blog.redcloud.se/att-na-sina-program-i-molnet-med-en-webblasare/ #molntjänster #outsourcing #SaaS #visma ...

View on Facebook

2 years ago

JufCorp

Att använda den inbyggda Windows 10 Mail klienten mot rCloud Office för att synka e-post, lalender och kontakter. #molnet ...

View on Facebook

2 years ago

JufCorp

En videomanual för hur man installerar svenska molntjänsten rCloud Office från Red Cloud IT.

blog.redcloud.se/molntjansten-rcloud-office-pa-windows/
...

View on Facebook

2 years ago

JufCorp

Finska F Secure har hittat ytterligare en kritisk sårbarhet i Intels produkter. Denna sårbarhet har inget med de nyligen publicerade #Meltdown och #Spectre utan ligger i Intel Active Management Technology (AMT). Om en angripare har fysisk tillgång till datorn kan alla säkerhetsmekanismer kringås som antivirus, diskkryptering och datorn är helt oskyddad mot angriparen som därefter fjärrstyra, avlyssna, kopiera data osv. … [ 39 more words ]

www.jufcorp.com/wordpress/f-secure-hittar-ny-kritisk-sarbarhet-i-intels-produkter-infosec/
...

View on Facebook

 

Mitigation strategies for securing server environments

This is a good start for mitigation planning for various attack scenarios.

I did not compile this list myself and the original can be found here . I might add a few thing in here but is very good strat indeed. Well done
https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Den här listan är en väldigt bra början för att planera och förhindra olika typer av attacker och hantera säkerhetsaspekter från olika synvinklar.

För hjälp med frågor som dessa, kontakta mig gärna här

 

backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace mitigation strategies

MITIGATION STRATEGIES

Mitigation strategies summary

Relative security effectiveness rating Mitigation strategy Potential user resistance Upfront cost (staff, equipment, technical complexity) Ongoing maintenance cost (mainly staff)
Mitigation strategies to prevent malware delivery and execution
Essential Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Medium High Medium
Essential Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Low High High
Essential Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Medium Medium Medium
Essential User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Medium Medium Medium
Excellent Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. Low High Medium
Excellent Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. Medium Medium Medium
Excellent Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. Medium Medium Medium
Excellent Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections. Medium Medium Low
Excellent Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Low Low Low
Very good Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high-availability) data. Low Medium Medium
Very good Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD. Medium Medium Low
Very good Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Very good Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices. High High Medium
Very good Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. Low Low Low
Good User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. Medium High Medium
Limited Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Limited TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. Low Low Low
Mitigation strategies to limit the extent of cyber security incidents
Essential Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Medium High Medium
Essential Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Low Medium Medium
Essential Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository. Medium High Medium
Excellent Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. Low Medium Low
Excellent Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties. Low High Medium
Excellent Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases. Medium Medium Low
Very good Non-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files. Medium Medium Medium
Very good Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic. Low Medium Medium
Very good Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. Medium Medium Medium
Very good Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. Medium Medium Medium
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity. Low Very
high
Very
high
Very good Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence. Low Medium Medium
Very good Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option. Low Medium Medium
Very good Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. Low Very
high
Very
high
Limited Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. Low High Medium
Limited Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. Low High Medium
Mitigation strategies to recover data and system availability
Essential Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Low High High
Very good Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. Low High Medium
Very good System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. Low High Medium
Mitigation strategy specific to preventing malicious insiders
Very good Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. High High High

 

 

For questions or help within these areas, please feel free to contact me here

Syspeace vs Cyberarms – Bruteforce prevention for Windows Servers

IT konsult backuper, It konsult säkerhet, IT konsult syspeace, IT konsult återstartsplaner, It konsult Active DirectoryA few years back I had an idea about a Host Intrusion Prevention System for Windows servers. I did try to write a proof of concept myself and I did have a pretty good idea of how it should work and what mistakes to avoid. I ran into a Swedish development company by coincidence and I told them about my idea, showed them som proofs of concepts and we decided to create this product together and that’s what eventually became Syspeace.

We had a perfectly fine collaboration for a few years but sad to say I’m no longer associated with Syspeace. In short , after an intial contract for 3 years  for a certain percentage of gross sales , they suddenly decided that I wouldn’t get any money whatsoever for any sales of Syspeace after that. Simple as that. Yay me. Not really what I had in mind when presenting the idea and putting that work into it and still, stupidly enough , I kind of was under the impression that we’d continue the same way as the first contract was written, both practically and in spirit.. Yep. Admittedly bitter about it. I loved the idea, I love the product (although there are improvemens that need to be made in my humble opinion. The idea is even good enough to actually bring some revenue and if we would’ve stayed on terms, I would’ve been perfectly fine. Still, lesson learned. Don’t be so trusting.

Anyaway, this post isn’t about that really. Not getting into how I feel about that but I’m sure you can imagine. There’s another post that kind of relates to that here and my view on a product such as Syspeace.

Anyway, a German competitor called Cyberarms with their product IDDS did however actually manage to release their product just a couple of months prior to us. Our product was still in a testing phase at the time. Out of loyalty and so on, of course I stuck to using Syspeace but there were always a few things that bothered me.
For instance, when running SSL on RDP connections, the eventid 4625 in the Windows Securitylog didn’t record the source IPaddress, thus making it impossible for Syspeace to block anything. Using SSL on RDP connections and so on makes stuff fareasier if you’re hosting Terminal Servers (Remotdesktop Servers and RemoteApp servers) in regards to network security, error messages to clients and so on. It just helps you out a lot having valid SSL certificates.

Syspeace worked perfectly fine for blocking attacks when the source IP address was recorded but otherwise not.
There are a few workarounds and I have written about them earlier but none of them are really good and there are pros and cons to them. This lack of functionality (meaning Syspeace not blocking all attempts but merely the ones containing the source IP address) was always a big problem and it was intended to be fixed but they never really got around to doing so.
I’m sure they will but it has taken a long time though.

As of December 2016, Cyberarms decided to release their software as Open Source (my understanding is that they couldn’t find new investors for continuing but I don’t know really ) so of course I got curious and decided to take it for a spin.

The blocking works fine. It blocks IP addresses with their SSL/TLS agent perfectly fine and it’s free to use so why not use it?

Well. A few things to consider here though and you really might want to think about them before implementing Cyberarms IDDS on larger scale.

Syspeace vs Cyberarms

First of all , the notification email you get from Cyberarms contains far too little information for it to be useful in a datacenter environment or at a Cloud Service provider. If you’re simplt protecting your PC at home, sure but if your’re mmanaginfg a larger server environment it will become a nightmare.

If you get an email simply saying “The IP address xxx.xxx.xxx.xxx has been locked” and you get a few hundred of those, it’s not very useful to you as a sysadmin I’m afraid.

You need to quickly be able to see Geopgraphical information and the login name used in order to know whether it’s an actual attempt to use valid usernames and access data or if it’s just an automated “background noice attack”. With that said, do not underestimate those background nice attacks since they do use up resources like CPU and RAM on your servers. They can also be an attempt to hide other kinds of hacking attacks simply by “hiding in the noice”.

Another thing that Cyberarms lacks is an automatic “Reset on success” feature which in essence means that if you have a customer connecting to your services from behind a firewall and someone at the customer side mistypes their password, the IP address will be blocked. Works as designed in both Cyberarms and Syspeace.

In Syspeace though , there is a default mechanism for also keeping track of succesful logins and with some builtin logic, actuallynot banning the IP address if someone else succeeds with their login attempt from behind that same firewall. The toought behind it is of course to minimize false positives and hopefully not blocking your customers from your services. It’s not foolproof but it works well enough.

In Sypeace, the rules you can set are also more flexible including parameters such as a time window. This is very useful for you to catch “slow grinding” attempts meaning hackers that want to stay under the radar for products such as Syspeace and Cyberarms.

Cyberarms does not have access reports built in to it like it’s built into Sysepace which from time to time can be very useful for a sysadmin.

When you starting up Cybrarms intiially, no agents are activated by default so there’s more of a “how-to” tip for you.

Cyberarms doesn’t not support Windows Server 2003, while Syspeace does.

Syspeace does have an unfortunate built in flaw at the moment making it’s database grow above it’s limit of 4 GB in some scenarios but I’m sure that will be sorted too.
Whether Syspeace (or Cyberarms for that matter) would work on Nano installations and GUIless servers is another quiestion. My guess is that they bort need to be rewritten. None of them support a central managemant interface wich would be nice to have so you don’t have to RDP yourself to each server to make changes. I’m sutre there will be such a feature in either on of them though.

Still, Cyberarms does a good job at finding attacks and here’s how I’ve started using the two in conjunction.

In all honesty, my dream scenario would have been for the two to join forces, getting the best from each product and build a great product together. In fact, I’m sure an even greater product can be built for these things and and adjacent things  so if anyone’s up a for it, I’m game.I have quite a few ideas for new functionality and features for such a product already..or who knows,I might even end up being a part of the Syspeace team again.

Since IDDS is now Open Source I guess I could sit down and amp it up with the features I want to have in it but truth told, I’m not a good developer really. I have ideas and I know how it should work but getting to the actual coding would just take to much time for me.

Anyway … Here’s how I’m using both of them at the same time for now anyway
I have the set the block rules higher in Cyberarms than in Syspeace, therefore giving Syspeace the chance to do the initial blocking and getting better emails sent to me.

Below is an example of an email alert sent by Syspeace.

Blocked address 182.184.78.244 (SERVER-C7BF2B28) [Pakistan] 2017-02-20 10:10:00 Rule used:
Type of block: Windows login
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 04:00:00
Previous observations of this IP address:
2017-02-20 06:09:59 *****\administrator
2017-02-20 06:09:57 *****\administrator
2017-02-20 06:09:55 *****\administrator
2017-02-20 06:09:52 *****\administrator
2017-02-20 06:09:50 *****\administrator

I’ve set Cyberarms to block after a higher number of intrusion attempts than Syspeace , getting it to catch those SSL/TLS

attacks since Syspeace can’t handle them at the moment.

Below is an example of the alert sent from Cyberarms.
Client with IP address 155.207.18.189 was hard locked

As you can see, the Cyberarms email doesn’t really provide me with any useful information as a sysadmin meaning for me to actually deal with it, I need to manually find out from where the attack originated, what username was used in order to decide whether it’s serious or not. Of course I could probably write something in .Net utilizing the Cyberarms logfile to get better notifications with more information but that shlould be built into the software really looking more like the Syspeace alerts.

The Syspeace notification isn’t prefect either but it is far better. I would also like to see what port was targeted and what process was targeted, i.e the running .exe.
That would be a quicker way for me as a Sysadmin to determine what’s really going on.

They both have Daily Reports and Weekly Reports so I thought I’d also incklude one of each from the same server and the same time window. I think you’ll noticed the difference and ralize why the SSL/TLS functionality is so crucial to have in place

Syspeace Report for week 2017-02-13 – 2017-02-19

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
23.236.77.157 1 XS2323677157; United States (US)
47.34.65.227 1 47-34-65-227.dhcp.stls.mo.charter.com; United States (US)
52.14.84.148 6 ec2-52-14-84-148.us-east-2.compute.amazonaws.com; United States (US)
73.37.131.61 1 c-73-37-131-61.hsd1.mn.comcast.net; United States (US)
89.247.148.40 1 i59f79428.versanet.de; Germany (DE)
119.59.80.66 1 119-59-80-66.rdns.afghan-wireless.com; United States (US)
151.54.163.83 1 ; Italy (IT)
183.250.25.70 1 ; China (CN)
185.94.99.245 1 ; Iran, Islamic Republic of (IR)
189.26.112.234 2 corporativo.gvt.net.br; Brazil (BR)
193.34.9.171 1 nlink.nesso.ru; Russian Federation (RU)
202.104.33.34 1 ; China (CN)
203.146.142.62 1 ; Thailand (TH)
213.87.96.182 1 host.mrdv-1.mtsnet.ru; Russian Federation (RU)
213.136.87.8 1 vms8.riseforce.net; Germany (DE)
222.184.121.194 1 ; China (CN)
222.209.233.89 1 89.233.209.222.broad.cd.sc.dynamic.163data.com.cn; China (CN)

//  I Have removed the hourly breakdown opart from this report here //

Generated 2017-02-20 00:04:58 for machine ***.****.** by Syspeace v2.5.2.0

 

Cyberarms Weekly Report
Week of 2017-2-13
Installation Information
Server: ****
Events per Agent
Agent name Intrusion attempts Soft locks Hard locks
TLS/SSL Security Agent 1238 215 82
Windows Base Security Agent 133 0 1
Total 1371 215 83
Intrusion attempts by IP address
Client IP Intrusion attempts
1.192.144.148 1
104.43.19.172 1
118.69.171.47 1
146.185.239.117 1
149.3.47.190 1
169.50.7.234 1
200.2.192.186 1
207.225.237.110 1
208.44.83.36 1
209.249.81.231 1
211.72.12.36 1
212.175.49.50 1
212.92.127.126 1
213.89.246.166 1
217.208.101.73 1
217.23.11.249 1
217.8.84.31 1
223.25.241.88 1
37.0.20.79 1
39.109.11.209 1
5.150.237.244 1
50.193.208.177 1
50.203.20.67 1
54.243.236.34 1
68.44.212.144 1
70.169.12.6 1
75.71.25.220 1
78.188.193.185 1
8.21.216.2 1
80.82.77.34 1
82.80.252.200 1
83.137.55.249 1
85.105.245.147 1
88.99.8.164 1
91.121.64.15 1
91.200.12.75 1
91.215.120.225 1
92.51.70.248 1
94.43.33.178 1
96.80.87.202 1
98.101.132.98 1
104.185.131.1 2
12.201.134.132 2
173.226.255.254 2
185.56.82.58 2
197.242.149.19 2
208.184.124.150 2
216.162.88.19 2
216.236.16.89 2
217.34.0.133 2
5.175.0.111 2
63.253.50.210 2
66.229.43.193 2
68.15.114.164 2
76.71.75.79 2
83.69.223.227 2
85.72.58.154 2
96.80.60.1 2
98.112.92.39 2
108.242.76.81 3
178.208.128.131 3
206.252.196.162 3
210.109.189.218 3
217.34.0.135 3
75.127.164.214 3
90.168.232.247 3
108.60.96.19 4
117.218.128.22 4
12.30.90.162 4
208.78.220.145 4
208.81.109.6 4
23.102.44.152 4
38.88.150.106 4
40.85.92.80 4
52.187.36.243 4
52.228.35.94 4
52.228.40.215 4
52.228.42.136 4
66.64.166.178 4
66.84.140.17 4
91.183.212.73 4
144.139.207.212 5
212.83.168.244 5
213.136.87.8 5
216.162.88.62 5
217.148.113.118 5
217.91.224.26 5
222.184.121.194 5
23.235.162.34 5
23.236.77.157 5
52.228.46.46 5
67.55.103.188 5
73.37.131.61 5
85.93.93.116 5
89.30.240.164 5
98.103.178.186 5
119.59.80.66 6
183.250.25.70 6
185.94.99.245 6
189.26.112.234 6
202.104.33.34 6
203.146.142.62 6
212.170.198.61 6
213.87.96.182 6
222.209.233.89 6
46.185.117.106 6
89.247.148.40 6
108.58.0.234 7
109.73.46.130 7
12.199.176.194 7
121.161.141.239 7
151.54.163.83 7
155.133.82.102 7
159.122.106.114 7
159.253.26.77 7
169.50.22.186 7
185.130.226.42 7
185.93.183.218 7
185.94.193.75 7
190.145.28.67 7
193.34.9.171 7
193.86.185.50 7
198.23.210.133 7
199.167.138.110 7
201.161.36.162 7
201.18.18.151 7
211.52.64.52 7
213.136.79.237 7
218.60.57.131 7
27.254.150.30 7
35.156.247.241 7
35.157.110.187 7
47.88.33.114 7
5.122.136.4 7
5.196.215.194 7
59.175.128.108 7
64.110.25.6 7
69.166.130.134 7
79.120.40.185 7
83.110.74.36 7
84.55.94.211 7
89.185.246.67 7
89.185.246.79 7
89.185.246.95 7
91.218.112.173 7
94.102.51.124 7
94.107.233.189 7
94.142.142.156 7
121.175.229.89 8
125.227.100.10 8
141.255.188.47 8
155.133.82.50 8
185.109.255.12 8
185.109.255.13 8
213.124.64.27 8
31.44.191.8 8
47.34.65.227 8
47.90.16.194 8
52.233.26.114 8
62.210.244.44 8
65.61.102.251 8
76.70.18.47 8
80.82.79.228 8
83.136.86.179 8
104.160.176.45 9
109.228.26.93 9
114.34.79.103 9
116.125.127.101 9
170.161.62.42 9
172.245.222.8 9
173.10.107.141 9
173.74.198.161 9
178.159.36.150 9
185.159.145.26 9
194.61.64.252 9
198.27.119.249 9
207.233.75.39 9
212.86.108.191 9
23.249.224.189 9
31.145.15.3 9
37.46.255.63 9
37.75.11.86 9
40.139.95.146 9
5.135.7.98 9
5.39.222.19 9
50.243.143.129 9
52.174.36.251 9
52.187.37.144 9
52.232.112.92 9
58.221.59.22 9
78.154.13.222 9
91.211.2.20 9
95.154.22.236 9
144.130.57.185 10
50.247.156.86 10
74.95.221.25 10
194.17.59.90 11
93.174.93.162 11
118.34.230.5 12
213.179.6.49 12
43.254.126.10 12
103.54.250.94 13
174.4.72.229 13
146.0.74.126 14
203.128.240.130 14
5.39.223.166 14
2.139.204.18 17
74.203.160.89 17
93.115.85.228 17
185.159.36.122 18
195.154.52.156 18
24.249.158.60 18
31.184.197.6 18
52.14.84.148 19
185.70.186.140 21
119.145.165.86 23
91.211.2.109 54
Total 1371
Soft locks by IP address
Client IP Soft locks
108.58.0.234 1
109.73.46.130 1
12.199.176.194 1
12.201.134.132 1
121.175.229.89 1
144.130.57.185 1
155.133.82.102 1
155.133.82.50 1
159.122.106.114 1
159.253.26.77 1
169.50.22.186 1
173.226.255.254 1
185.130.226.42 1
185.93.183.218 1
185.94.193.75 1
190.145.28.67 1
193.86.185.50 1
197.242.149.19 1
198.23.210.133 1
199.167.138.110 1
201.161.36.162 1
201.18.18.151 1
208.184.124.150 1
211.52.64.52 1
213.136.79.237 1
216.162.88.19 1
217.34.0.133 1
218.60.57.131 1
27.254.150.30 1
35.156.247.241 1
35.157.110.187 1
43.254.126.10 1
47.88.33.114 1
47.90.16.194 1
5.122.136.4 1
5.196.215.194 1
59.175.128.108 1
62.210.244.44 1
63.253.50.210 1
64.110.25.6 1
66.229.43.193 1
68.15.114.164 1
68.44.212.144 1
69.166.130.134 1
76.71.75.79 1
79.120.40.185 1
83.110.74.36 1
84.55.94.211 1
89.185.246.67 1
89.185.246.79 1
89.185.246.95 1
91.218.112.173 1
93.174.93.162 1
94.102.51.124 1
94.107.233.189 1
94.142.142.156 1
96.80.60.1 1
98.112.92.39 1
104.160.176.45 2
108.60.96.19 2
109.228.26.93 2
114.34.79.103 2
116.125.127.101 2
12.30.90.162 2
141.255.188.47 2
146.0.74.126 2
170.161.62.42 2
172.245.222.8 2
173.10.107.141 2
173.74.198.161 2
178.159.36.150 2
185.109.255.12 2
185.109.255.13 2
185.159.145.26 2
194.61.64.252 2
198.27.119.249 2
2.139.204.18 2
206.252.196.162 2
207.233.75.39 2
208.78.220.145 2
208.81.109.6 2
212.86.108.191 2
213.124.64.27 2
217.34.0.135 2
23.102.44.152 2
23.249.224.189 2
31.145.15.3 2
31.44.191.8 2
37.46.255.63 2
37.75.11.86 2
38.88.150.106 2
40.139.95.146 2
40.85.92.80 2
5.135.7.98 2
5.39.222.19 2
5.39.223.166 2
50.243.143.129 2
50.247.156.86 2
52.14.84.148 2
52.174.36.251 2
52.187.36.243 2
52.187.37.144 2
52.228.35.94 2
52.228.40.215 2
52.228.42.136 2
52.232.112.92 2
52.233.26.114 2
58.221.59.22 2
65.61.102.251 2
66.64.166.178 2
66.84.140.17 2
78.154.13.222 2
80.82.79.228 2
83.136.86.179 2
91.211.2.20 2
95.154.22.236 2
118.34.230.5 3
185.70.186.140 3
24.249.158.60 3
119.145.165.86 4
185.159.36.122 4
195.154.52.156 4
31.184.197.6 4
93.115.85.228 4
91.211.2.109 12
Total 215
Hard locks by IP address
Client IP Hard locks
104.160.176.45 1
104.43.19.172 1
108.60.96.19 1
109.228.26.93 1
114.34.79.103 1
116.125.127.101 1
118.34.230.5 1
118.69.171.47 1
119.145.165.86 1
12.201.134.132 1
12.30.90.162 1
170.161.62.42 1
172.245.222.8 1
173.10.107.141 1
173.226.255.254 1
173.74.198.161 1
178.159.36.150 1
185.159.145.26 1
194.61.64.252 1
197.242.149.19 1
198.27.119.249 1
2.139.204.18 1
200.2.192.186 1
207.225.237.110 1
207.233.75.39 1
208.184.124.150 1
208.78.220.145 1
208.81.109.6 1
209.249.81.231 1
212.86.108.191 1
216.162.88.19 1
217.34.0.133 1
217.34.0.135 1
223.25.241.88 1
23.102.44.152 1
23.249.224.189 1
31.145.15.3 1
37.46.255.63 1
37.75.11.86 1
38.88.150.106 1
40.139.95.146 1
40.85.92.80 1
5.135.7.98 1
5.39.222.19 1
50.193.208.177 1
50.203.20.67 1
50.243.143.129 1
50.247.156.86 1
52.174.36.251 1
52.187.36.243 1
52.187.37.144 1
52.228.35.94 1
52.228.40.215 1
52.228.42.136 1
52.232.112.92 1
54.243.236.34 1
58.221.59.22 1
63.253.50.210 1
66.64.166.178 1
66.84.140.17 1
68.15.114.164 1
78.154.13.222 1
8.21.216.2 1
91.211.2.20 1
93.115.85.228 1
95.154.22.236 1
96.80.60.1 1
98.101.132.98 1
98.112.92.39 1
185.159.36.122 2
195.154.52.156 2
31.184.197.6 2
52.14.84.148 2
91.211.2.109 6
Total 83
To configure reporting options, please use the IDDS administration software on your server.

With that said, I would recommend people using both of them in order to minimize brute force and dictionary attacks against Windows servers.

Should you need assistance or have questions, please feel free to contact me here

#cybersecurity How to block a brute force attacks against Windows Servers, #MSExchange, Remote Desktop and more

Syspeace - intrusion prevention for Windows servers

How to block a brute force attack against Windows Servers, Exchnage Server, remote Desktop

If your server or datacenter is targeted by a brute force attack a.k.a dictionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.

However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 6,5 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Server including the webmail (OWA) and SMTP connectors, Citrix, Sharepoint,SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not constantly monitoring logfles.

On this blog, https://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

By Juha Jurvanen

Syspeace crashes / not starting due to database growth over 4 GB

Syspeace crashes / not starting due to database over 4 GB

Syspeace is a brute force prevention software for Windows Servers, Exchange Servers, RDS and more.

One issue with the current version of Syspeace is the scenario where the Syspeace GUI can’t be started and Syspeace crashes due to it’s database growing too large and here is why.

When the database called SCDB1.sdf (located in the Syspeace installation directory) grows above its built in limit of 4 GB, Syspeace stops working and the GUI can’t be started, nor does Syspeace block any new brute force attacks.
This is due to a limitations of database groxth and the way Syspeace stores entries within the database in the current version (2.5.2).

Here is a (blurry) picture of the error message. It’s basically a .Net error message saying that the database has grown larger than its built in limitation.

syspeace crashes database 4 gb

Solution / Workaround

The easiest way to workaround this limitation is to stop the Syspeace service and simply delete the database and set up your rules and settings again. This will mean setting up your whitelists, entering licensnumber, rules and so on.

Preparing for this scenario

It is easy to be prepared for this though. Simply export all of the Syspeace settings using the Syspeace GUI ( Export settings/ and click the “Check all” in the top right ) and keep the DefaultSettings.syspeaceSettings in the Syspeace installation folder. Remember to do this every time you apply changes to your settings.
This will ease the workaround-fix from the aspect that you only need to stop the Syspeace service,delete the database that and then restart Syspeace thus having it automatically import all of your settings.

There is also the advantage of being able to distribue the DefaultSettings.syspeaceSettings-file to other servers in case you have multiple installations or you’re planning on expanding your Syspeace usage.

Simply install Syspeace on the next server, copy the DefaultSettings.syspeaceSettings to the installation directory and your configuration is set to the same parameters as the first one, including whitelists, license number, email settings and so on.

By Juha Jurvanen

Sad to see Cyberarms fail

Sad to see Cyberarms fail

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Today, I had a look at the Cyberarms website since I of course like to see what’s going on out there. I liked some of their ideas and I did see potential in there.

To my surprise they have decided to quit developing Cyberams and also to completely halt their operations apart from licensing renewals.

Their deficit is 250 000 euro so that saddens me of course when any business venture fails.
It’s never just a job for people in my line of work and as a business owner I do know what the owners and CEO and everyone is going through. It’s absolutely horrible with sleepless nights, feeling of failure and everything.
To develop a product and a software, especially for a new kind of thinking in terms of security, and actually getting system administrators, CEOs, CTOs and so on to realize actually that it needs to be in place isn’t easy and it’s very important to keep track of costs and also to know that development is moving forward as expected.
It’s not always a good thing to be some of the first in their field. Especially to try to make it commercially. Having the right people , business plan and everything is crucial.

Still, the need for a good and stable brute force prevention software for Windows Servers is still just as valid and important as ever. If not even more, considering all the private and public cloud solutions that are emerging. For instance, remember, Syspeace was born out of necessity from the Cloud Service rCloud Office at Red Cloud IT in Sweden.

Cyberarms will release their source code to customers with more than 250 licenses so there is always the possibility that it will be developed further but most likely only for the use at those customers inhouse and for their own needs.
To uphold a software and keep developing it when written by someone else can be very time consuming indeed and as a developer you also need to get new ideas from the guys who had the original idea.
Even though the person with the idea isn’t the same one who actually writes the code, that person is still often the one with the vision and ideas for the next level and what it should actually be.

For obvious reasons I am prone to using Syspeace but it still made me sad to see Cyberarms fail.

In the case of Cyberarms, one of the unfortunate miscalculations was that there was a free version that blocked x amount of attacks per day. The rest weren’t blocked.
For some system administrators, that was enough (I don’t really see why that would be enough . I mean , let’s block these three attacks but let these other 50 keep going but .. anyway …. ) so Cyberarms basically gave away a semi-full protection thus not getting the licenses sold needed to be able to further develop the product and to keep marketing and staff and etc.

This was also discussed in the Syspeace team as a possible way to reach out to new customers but we decided to make it a fully functional trial instead since we did see the risk in what happened to Cyberarms would happen to Syspeace too i.e. people only using the free version and being content with the semi-full functionality.

So, as sad I am to see them go, hopefully this might at least have more users and sysadmins to have a look at Syspeace for Windows Server protection. Regardless if it’s RDP, Citrix, SQL, Exchaneg OWA and more. If it’s reachable, people will try to brute force it.
The problem is there and now there’s one less security software to choose from to protect from it.

Juha Jurvanen

The anatomy of hacking attacks and a few countermeasures

konsult inom backup It säkerhet molntjänster hacking attacks

Various hacking attacks against servers and users

First of all, there are multiple types of hacker attacks and they all have different purposes.
There are also many different types of hackers and they all have cool names like “White hat” hackers and “Black hat” hacker.
The White Hat ones are usually the security experts hired at a company to check and verify the IT security measures at other companies.
The Black Hat hackers are not. They’re the ones to be afraid of.
I’m neither of them. I’m simply a consultant and the best of these guys know far more about theses things than I do but still, I thought I’d run through a few common attacks targeted to accomplish various things.

There are many reasons why an attacker wants to hack you.

It could be hacktivism and political reasons or an attempt to gain access to your server to be able to use it for hacking others (basically they want access to your CPU, RAM and disk to hide stolen data and tools, mine for Bitcoins or whatever and to have an IP address to use, not leading back to their own).
There’s a few very cool and easy ways to hide files on servers that ar more or less impossible to find such as hiding a file “behind” another file and so on.

Of course in some cases it can also be about trying to steal company secrets (industrial espionage), possibly a former (or current for that matter, internal data theft and hacking is far more common than you’d expect) discontent employee looking to sabotage or looking for revenge or in some cases, just for the fun of it to see if it can be done.

The pre-run. Checking out your site, server with portscans and bruteforce atttacks

First of all, any hacker will need to know what you’re running and what it looks like. “Know thy enemy” so to speak.
Usually a portscan of your servers will reveal quite a lot of information and there are loads of tools to do this, quietly, undetected and efficiently such as nmap or even Google actually.

In order to make it a bit more difficult for them I’d suggest you have your firewall correctly configured for blocking portscans, your servers on a DMZ and also to hide any banner revealing what software you’re running and what version. This can’t be done with all software I’m afraid but the ones that you can, please consider doing so.
For a hacker to know exactly what you’re running will only make his/her life much easier since all they do is to start
looking for any known vulnerabilities and so called exploits to that software and version.
Usually software developers have released a patch but unfortunately, a lot of software never gets updated in time due to the old “if it works, don’t fix it” attitude among a lot of server tekkies and hosting providers.

Another thing is to move all default pages and scripts (or delete them if you’re not using them) to make a bit more difficult to figure out what you’re actually running and how it is setup. Have for instance 404 error messages redirected to the start page or Google or your worst competitor and also 403 errors ..

DoS attacks and DDoS attacks and also hiding behind them.

A DoS attack is a “Denial of Service” attack which means that your server is in some way attacked and made to stop servicing your clients / users or customers the way it’s supposed to, for instance your webmail / OWA or a webshop or RDP services.

This can be accomplished in many ways. A DDoS attack is a DoS attacked but with the difference that it is a Distributed DOS attack meaning there are a lot of more computers involved in doing the attack.
These attacks often have the main purpose of taking a website down by overloading it really.

If you’ve got a web server servicing for instance a webshop and a hackergroup for some reason don’t like you, they’ll get a few hundred thousand computers around the world to ask for a specific document or picture on your website, thus overloading it so it can’t really service your customers since the server is busy handling the bogus requests.

It is not uncommon also for a hacker to hide behind these attacks to try and find out what kind of countermeasures you have in place such as Syspeace. The idea behind it is basically to became invisible in all the log noise a DDoS attack generates.

Worst case, hacking attacks such as this can actually go on for weeks and it has happened often. That is also simply an extortion. “If you pay us this and this much , your webshop will be back online again, otherwise not”. For some companies this of course could be an absolute disaster, imagine for instance around the Christmas sales.

Now, it might sound impossible to find a few hundred thousand computers to get such an attack underway. It’s not. They’re out there in botnets spread over VPS and physical machines and they’re for hire even. Including a trial run and with support.
Brave new world ..

There are ways to handle these attacks. For instance increasing the service capacity on the server, increasing you bandwidth and also have a talk with your ISP on how to mitigate the attacks if they have solutions in place for it. You could also have for instance a powerful SNORT server in front of the firewall to get rid of some of the traffic. You should also have Syspeace in place for handling the bruteforce atatcks

Poorly updated applications or neglected updates and 0day exploits

If a server is poorly updated and the application/website is sensitive for instance that the hacker simply adds some code against the webaddress trying to browse the file system on the server then this can also render in a DOS attack or even worse, the attacker gets hold of the users and administrator/ root passwords. Once they’ve got that, your pretty much ..well. you won’t be having a good day. Basically you need to make sure your webserver is always correctly updated, and you also need to make sure that the underlying file system can’t be reached from the outside more than absolutely necessary.
Make sure you checked every directory and path on the website and what actually is reachable, writeable and browsable. If you’ve got pages you don’t want indexed then hadndle that in the robots.txt or have them secured behind a user login page.If you’re running a Wordporess site, make sure you hav alarma set up for outdated plugins, changes to files and so on and and make sure to deal with it asap.

Unfortunately, from time to time there are also so called 0day exploits out in the wild and those are very hard to defend yourself against. If get alerted that there is one in the wild for your environment, please keep alert and stay on your toes until a patch is released and follow any best practices released by the vendor! This can also fall under the category viruses and trojans further down.

SQL Injections and badly formatted requests

If the website uses a SQL Server / MySQL or has any input form to validate or gather something, please make sure that the application strips away any characters that could make your server vulnerable to SQL Injections since the SQL Server is usually run with administrative rights making the SQL Server injections being run with high privileges and accessing the operating system.

If you don’t know how the application is written, please contact the developers of it and ask them and have them verify this.

For any part of the website where there are input forms, makes sure that all input is validated in terms of what characters are used and how long the input is.
If a website is poorly written and poorly validated, a memory buffer overflow can occur which basically means that the input is so large or strangely formatted that the server will stop working or even give the attacker access to the servers operating system by overwriting stuff in the RAM in a way that it’s not supposed to.

Viruses, rootkits and trojans.

If an attacker has been able to lure your users to a site that contains infected code (sometimes also called drive by hacking) and the web browser or plugins to it (Java, Adobe, Flash and so on) are sensitive to that particular infections you user might come down with an infected computer.
Depending on what actually has been infected and why the consequences vary of course.

This is often done by sending emails with links to websites or trying to get user to plug in an infected USB stick into their PC.

I’ve heard of companies that have been affected with a virus rendering them unable to work since nobody was allowed to even plug in their computers to the work networks until they could be sure they’d got rid of it. In this case it was a lot of computers so I think it took them 3 week until people actually could start working again, 3 weeks without any work. That’s a costly thing for any company.The same standstill could also come from a ransom virus, basically encrypting all your files and you’ll have to pay money to get the right decryption password.

The way to minimize such a horrible standstill is to make sure that ALL of your devices connecting to the network are properly updated with antivirus products (please do not use the free ones ..ever!) but also you need to make sure that any other software is properly updated . Java, Flash, and the operating system itself .
This also goes for workstations connecting from home and so on or otherwise you might be in for a bad day. You should also be very restrictive when it comes to letting users use USB drives and stuff. They might be infected with something.

MITM – Man in the Middle, proxies and easedropping

If you’ve got a corporate network, you want to know what devices actually are on it and why. If someone for instance sets up a computer and has all of the corporate traffic routed through (by acting a proxy) , all of your communicating is being copied and this can be done in various ways. The same goes actually for you if you’re using public WiFi hot spots which I would never recommend anyone really using. To intercept data isn’t very difficult unfortunately, especially if it isn’t protected by valid certificates.
You need to use valid SSL certificates and there’s no reason to use anything lower that 2048 encryption and you must also disable weak cipher and other stuff before your SSL is correctly set up. Check your configuartion against for instance on Qualsys SSL Labs.
Also make sure that all communications are secured within your network.

Brute force and dictionary attacks.

I’ve written loads and loads on this earlier so I won’t linger on it. A brute force or dictionary attack is basically someone trying to get access to your server by guessing the username and correct password using a large list of common passwords or a dictionary and simply trying them one by one (well, thousands at a time really since its’s automated).

To protect your servers and user you need to have a intrusion prevention system in place. For Windows Servers I recommend using Syspeace (and you can also use Sysepace for protecting web applications you’ve protected through the Syspeace API) and on Linux servers I’d have a look at fail2ban. You should also use and enforce complex passwords.

Anything that comes with a default password for logins (routers, switches, printers and so on) should have the password changed from default!
These are always sensitive to brute force attacks and there are sites on web listing thousandfs of default passwords out there

You should also have a very strict policy to immediately block an employees account as soon as they’re no longer with the company and you should be very careful with what user rights you grant your users since they can easily be misused.
You should also have software in place for managing mobile phones and other devices that your employees have and the ability to wipe them clean if they get stolen or if you suspect internal mischief from an employee.

On site data theft and social engineering.

Well. In a sense , it’s not hacking but it’s more fooling people. Not the initial part anyway.
Basically someone turns up, claiming to be from the phone company, a cleaning company, your IT support company or anything that makes sense and they want access to the data center, server room to “fix” something. This is also referred to as social engineering. First the hacker finds out as much as possible about the company they’re attacking and then use that information to gain access to workstations or servers within the company,

Once they’ve actually gained access, they’ve got USB sticks to insert into workstations or servers , either loading a software into them such as trojans or keyloggers or just something that elevates rights or maybe they’re simply after just copying the data.
It all depends on how much time they have and if they’re alone. In some scenarios it might even just be a trick for them to gain access to backup tapes since all the companys data is on them .
They could also bribe janitors, cleaning staff and so on to steal backup tapes for them since they far too often will have access to the datcenters and they’re
not that highly paid.

There are a lot of tools that can simply put on a USB stick, boot up the server and you can reset administrator passwords, overwrite systemfiles (or plant a trojan or destroy them to render the server unbootable) , steal data and so on and a lot of them are surprisingly user friendly like for instance Hiren’s BootCD

A variation of this is of course people phoning someone up, claiming to be from the IT departement or Microsoft or somewhere, wanting to “help you” with a problem and asking for remote access to your computer. Once they gain access, they’ll do same things. Plant a trojan or a virus or a keylogger and the basically own the computer.

To protect your company data please always make sure you know who and why people are on site, never have anyone come near servers without supervision or the users workstations and if possible, disable any USB ports and always use password protected screen savers.

Every device on your network must also have a good antivirus running in case someone still manages to put an infected USB stick into the workstation.
Also make sure you talk the users about the hazards of giving anyone access to their computer.

If you suspect you’ve been hacked. What to do. Contingency planning

First of all, try to verify that you have been hacked and also try to find out when. In some cases you’ll have to revert to backups taken BEFORE you we’re hacked to be sure that you don’t restore a root kit or something.
This also means your backup plans and DRP plans need to take these scenarios into account so don’t be cheap with the number of generations you actually save.
You might need something from 6 months ago.

Try to find out what happened, when it happened, how it happened and have it fixed before you allow access to the server again. There’s no sense in setting the same flawed server up again. It will only be hacked again,

Don’t be afraid to make it a matter for the police. They need to know about it and they want log files and any documentation you may have.

When you get the server up and running again (or preferably before you’ve been hacked) make sure to have monitoring set up for the server. If it’s a website for instance, you want to be alerted if anything changes on in the html code for website for instance, or if the site is responding slowly (this doesn’t have to mean you’ve been attacked but could point to other problems also such as disk problems, misconfigured server settings or ..well..anything really. In any case you want to look into it.)

So , these were only a few methods and there a loads and loads more of them .

I’ve written a few other blog articles on securing servers, data centers and on brute force prevention and here’s a few links to previous articles. Most of are copied from older blogs and I do admit I haven’t nor proofread them nor formatted them for this site yet. I will. Eventually.

Articles by Juha Jurvanen on securing your server environments

Securing server environments – Part I – Physical aspects

Securing server environments – part II – Networking

Securing your Windows servers and MSExchange with an acceptable baseline security | Syspeace – Brute force and dictionary attack prevention for Windows servers

Windows Server intrusion prevention for Cloud providers and hosting providers

Should you need consulting or ideas on these questions or on backup/restore or on building cloud services / migrating to cloud services ,
I’m reachable by clicking the link below.

Juha Jurvanen – Senior IT consultant at JufCorp”>By Juha Jurvanen – Senior IT consultant at JufCorp

TLS 1.1, TLS 1.2 och SSL certifikat på Microsoft IIS Server och Exchange Server

Vad är ett SSL certifikat ?

konsult inom backup It säkerhet molntjänster SSL

Ett SSL certifikat används för att kryptera trafiken mellan en klientenhet (PC, MAC, Android , iPhone o.s.v. ) och en server. Det här är en väldigt viktig funktion både ur säkerhetsaspekter men även ur funktionalitet då många system idag kräver krypterad kommunikation för att fungera fullt ut som t.ex. Microsoft Exchange och Microsoft RDS Servers (Remote Desktop servers) .
TLS är egentligen en vidareutveckling av just SSL även om man i dagligt tal pratar om just SSL certifikat.

SSL / TLS används också för att validera att servern är den som den utger sig för att vara genom att din enhet kontrollerar med en tredje part att det här certifikatet är giltigt och att det är den serven som faktiskt har det installerat.
Enklast ser du att allt står rätt till om det står https i adressfältet i din webbläsare och att du inte har felmeddelanden kring certifikatet.

SSL är dock inget skydd mot t.ex. lösenordsattacker mot Windows Server. För den typen av skydd behövs Syspeace

Räcker det att ha SSL installerat på servern ?

Många företag tror tyvärr att det räcker men det gör det inte. I den här korta artikeln ska jag fokusera på Microsoft IIS Server d.v.s deras webbserver som finns inbyggd i Microsoft Windows Server.I en del fall nöjer man sig även med att ha bara egenutfärdade certifikat dvs dessa valideras inte av en tredje part.
Det här är absiolut inte att rekommendera i en driftsmiljö. Knappt ens i testmiljö eftersom det är en del manuell hantering och det är ofta svårt att helt efterlikna driftsmiljön.

Kontrollera er SSL installation gratis

Det finns gratis verktyg på nätet för att kontrollera status och hur ni satt upp SSL på just er IIS server.
Sök på t.ex. SSL Check på Google och ni kommer hitta många bra verktyg för detta. Personligen gillade jag https://sslcheck.globalsign.com/en_US eftersom den hade ett enkelt gränssnitt och bra förklaringar till de olika delarna och även https://www.ssllabs.com/ssltest/analyze.html?d=jufcorp.com&latest som även undersöker för sårbarheter mot t.ex. POODLE.

SSL och IIS server i standardinstallation

En standardinstallerad Windows server ger vanligen betyg F dvs underkänt, även om man installerat ett godkänt SSL certifikat.

Många av standardvärdena i Microsoft IIS tillåter svaga krypteringar och SSLv2 och SSLv3, och dessa borde inte tillåtas p..g.a. risken att de kan utnyttjas till olika saker (t.ex. datastöld, s.k. Man in the Middle attacker dvs någon annan utger sig för att vara den servern som du tror att du kommunicerar med men man avlyssnar egentligen all trafik) .
Det saknas även en del viktiga inställningar i registret för Forward Secrecy o.s.v

Det behövs alltså fler ingrepp i servern och här gäller det att göra rätt och tänka på t.ex. kompabilitet mot Activesync om det t.ex. är en Microsoft Exchange server men även för Remote Desktop Server.
Det krävs helt enkelt en del ingrepp i serverns registry vilket i värsta fall kan leda till att servern slutar fungera.

Kontakta mig för hjälp och frågor

“Det finns inget Molnet – det är bara någon annans dator” – Om molntjänster och var finns egentligen datat ?

konsult inom backup It säkerhet molntjänster och infratruktur Molnet
För ett tag sen såg jag just den texten på en dekal som någon lagt upp på Facebook i en grupp jag är med i och jag log glatt.
Det påminde mig om en sak jag skrev för några år sen just om det.

kontentan i den är just att oavsett hur vi ser på Molnet och molntjänster så är det helt enkelt så att inget data bara flyter runt magiskt i luften. Nånstans lagras det alltid fysiskt på en hårddisk i någon datahall. Det finns många olika sätt att lagra data men till syvende och sist hamnar det alltid på en hårddisk av något slag som SAS, SCSI, FLASH o.s.v

Det som kan vara viktigt att tänka på när man köper molntjänster är just att veta var den datahallen (eller datahallarna för den delen ) faktiskt finns.
Finns ert data i Sverige eller på Irland eller kan leverantören ens garantera var data befinner sig ?

Hur hanterar leverantören t.ex. antivirus och SPAM filtrering ? Går det över någon amerikanskt tjänst och i så fall, vem har till gång till era mail ?

Om man t.ex. hanterar känsligt material som man inte vill ska färdas över nationsgränserna till något amerikanskt bolag med allt det innebär kanske inte Office365 eller Googles molntjänster är dem man ska titta på. Det kanske t.o.m är mera intressant att se över hur man kan bygga ett privat moln ?

Man kanske även har andra behov som att flytta sitt befintliga CRM eller ekonomisystem till en molntjänst men att göra det till de stora leverantörerna kan vara avsevärt mera komplext än vad man förutsåg. Att köra Microsoft Office och andra standardprogram är sällan svårt att få till men gäller det att flytta mera udda och komplexa system så kan det bli ganska komplicerat , om det ens går att göra ?

I samma andetag är det naturligtvis också väldigt högaktuellt att tänka på de här sakerna då många ser över att migrera sina Windows Server 2003 till antingen nyare serverplattformar eller att flytta sina funktioner till Molnet.

Inlägget jag skrev om publika moln, hybrida moln, VPS o.s.v. finns att läsa här

Kontakta mig