Archives for hacking

Brute force attacker ökar

Brute force attacker ökar T konsult IT säkerhet

Brute force attacker ökar

Ett av de ämnen jag tidigare skrivit mycket kring är just kring att ordboksattacker eller brute force attacker ökar och är ett verkligen svårt problem att hantera. Principen bygger alltså på att en hackare försöker gissa sig till användarnamn och lösenord. Ofta är användarnamnet t.ex. en persons e-post adress eller i Windows domäner t.ex företaget\användarnamn och med den kunskapen har ju hackaren redan hälften av inloggningen.

Resten är lösenordet och om det är något vanligt lösenord eller en vanlig variation på det så kommer det inte ta lång tid för en hackare att faktiskt ta över personens konto.

Allt det här är naturligvis helt automatiserat dvs det sitter ingen  för hand och försöker skriva in användarnamn och lösenord utan hackarna använder olika script som kan testa tusentals kombinationer av lösenord samtidigt med olika resultat. De kanske lyckas bryta sig in, låsa användarnas konton, krascha servrar för överbelastning o.s.v.

Den här artikeln på Techworld ( https://techworld.idg.se/2.2524/1.698276/olovliga-inloggningsforsok) pekar också på att just den typen av attacker ökar och med all sannolikhet kommer fortsätta göra det.

Några av problemen med dessa attacker (förutom det alldeles uppenbara att hackaren faktiskt lyckas gissa rätt och då har tillgång till ert data) är att det tar maskinresurser, fyller bandbredd och är väldigt, väldigt svåra att hantera manuellt.
Tänk t.ex. när en attack kommer från 1000 eller 10 000 datorer samtidigt,. Att manuellt stoppa det i en brandvägg är inte realistisk och i vissa system som t.ex. i Windows domäner finns oftast ingen koppling mellan händelsen inloggning och brandvägg. Jag driftar, övervakar och hjälper företag så jag ser hundratals såna här attacker varje dag som pågår.

Att i efterhand kunna se vad som hänt är värdefullt för t.ex. polisanmälningar och historik men primärt behöver attackerna stoppas, sedan analyseras men att göra det manuellt är som sagt helt orealistiskt och behöver automatiseras.

Det finns lösningar, programvaror och sätt att automatiskt hantera de här frågorna på de flesta plattformar och system men det kräver lite eftertanke och planering, enligt min mening tid som är mycket väl investerad för att skydda era system mot brute force attacker.

Vill ni veta mer om hur man kan skydda sig mot detta i Windows, Linux, WordPress,Exchange Server osv , kontakta mig här
<

Kontakta JufCorp
backup disaster recovey konituitetsplanering IT säkerhet molntjänster syspeace kontakta JufCorp

Kontakta JufCorp AB för frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och frågor kring intrångssäkerhet.

Boka ett gratis möte för att se hur jag kan hjälpa er eller beställ licenser för  F Secure PSB (övervakad antivirus till fast månadskostnad) eller Syspeace ?

Om ni hellre vill ringa direkt så nås jag på 0709 666 997

Ditt namn (obligatorisk)

Företag

Din epost (obligatorisk)

Telefon

Ämne (obligatorisk)

Ditt meddelande (obligatorisk)

När och hur vill ni bli kontaktade?
TelefonE PostPersonligt möteFörmiddagEftermiddagKväll

Vad gäller saken ? Välj en eller flera områden om du vill

Från när behöver ni hjälp ?

Skriv in nedanstående text för verifiering (obligatorisk)

captcha

 

Senaste uppdateringarna på JufCorps  FaceBook sida

 

 

F Secure hittar ny, kritisk sårbarhet i Intels produkter #infosec

Finska F Secure har hittat ytterligare en kritisk sårbarhet i Intels produkter. Denna sårbarhet har inget med de nyligen publicerade #Meltdown och #Spectre utan ligger i Intel Active Management Technology (AMT). 

Om en angripare har fysisk tillgång till datorn kan alla säkerhetsmekanismer kringås som antivirus, diskkryptering och datorn är helt oskyddad mot angriparen som därefter fjärrstyra, avlyssna, kopiera data osv. 

Enligt F Secure är det också förvånansvärt enkelt att utnyttja bristen men konsekvenserna kan vara oerhörda då den här sårbarheten kan påverka miljontals laptops världen över.

Läs mer nedan

https://www.msn.com/en-us/news/technology/finnish-firm-detects-new-intel-security-flaw/ar-AAuBsgI?ocid=News

Ny #WordPress 4.8.2 med XSS säkerhetsfixar släppt

Den senaste versionen löser ett antal sk XSS sårbarheter som innebär att en hacker kan lura en klient att exekvera kod från en annan webbplats. 

Rekommendationen är att uppdatera sina system vid tillfälle då dessa sårbarheter nu är allmänt kända. 

Tänk även på att uppdatera alla tillägg och hålla koll på vilka tillägg som uppdateras i framtiden. 

Hackers använder sig av just ofta av gamla tillägg för att kringgå säkerhet och med populariteten kring #Wordpress finns det många hemsidor att använda som mål.

Mer information om vilka sårbarheter som åtgärdats finns här

För hjälp med frågor kring säkerhet på t.ex WordPress och hantering , kontakta mig 

Ny #WordPress 4.8.2 med XSS säkerhetsfixar släppt

Den senaste versionen löser ett antal sk XSS sårbarheter som innebär att en hacker kan lura en klient att exekvera kod från en annan webbplats. 

Rekommendationen är att uppdatera sina system vid tillfälle då dessa sårbarheter nu är allmänt kända. 

Tänk även på att uppdatera alla tillägg och hålla koll på vilka tillägg som uppdateras i framtiden. 

Hackers använder sig av just ofta av gamla tillägg för att kringgå säkerhet och med populariteten kring #Wordpress finns det många hemsidor att använda som mål.

Mer information om vilka sårbarheter som åtgärdats finns här

För hjälp med frågor kring säkerhet på t.ex WordPress och hantering , kontakta mig 

Pågående massiv #bruteforce attack mot primärt Windows server system från #USA

JufCorp AB hjälper företag och föreningar med frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace

Pågående massiv #bruteforce attack mot primärt Windows server system från #USA

 

Som kuriosa tänkte jag nämna en massiv s.k. Brute Force attack / Dictionary attack (på svenska kallad ordboksattack) som pågår just nu med ursprung i USA och som verkar rikta in sig mot asvenska servrar (ett flertal av mina kunder har drabbats).
Den är inte att blanda ihop med den massiva #WannaCrypt attacken som handlar ransomvirus utan är en helt annan typ av attack där inkräktaren försöker att gissa sig till användarnamn och lösenord eller bara att överbelasta servrarna med felaktiga inloggningsförsök.

En gemensam nämnare i just den här attacken är att de använder sig av inloggningsdomänen som inloggningsnamn.
Nedan är en lista på “dagens skörd” av blockerade IP adresser som intrångsskydden blockerat på en enda servrar mellan midnatt och 13:30 hittills idag .

För att se om ni är drabbade, kontrollera Windows Security log.

Om ni är drabbade är ni naturligtvis välkomna att kontakta mig här för hjälp med att hantera attacken eller för att skydda er mot kommande attacker

IP address Times Host name and country
——————– —– ——————————-
5.102.141.94 2 rev-94.141.102.5.tribion.com; Netherlands (NL)
5.103.29.79 2 static-5-103-29-79.fibianet.dk; Denmark (DK)
5.144.158.193 2 ; United Kingdom (GB)
8.3.64.82 2 mail.sharpcnc.com; United States (US)
8.23.71.66 2 BJP2U36T-PC; United States (US)
8.27.164.197 2 ip-8-27-164-197.trucom.com; United States (US)
12.163.187.130 2 ; United States (US)
12.177.217.60 2 ; United States (US)
12.219.206.146 2 ; United States (US)
12.250.27.210 2 ; United States (US)
13.65.24.104 2 ; United States (US)
13.67.181.161 2 ; United States (US)
13.68.88.62 2 ; United States (US)
13.68.92.114 2 ; United States (US)
18.159.7.137 2 koch-six-forty-eight.mit.edu; United States (US)
23.25.213.172 2 23-25-213-172-static.hfc.comcastbusiness.net; United States (US)
23.227.200.187 2 ; United States (US)
24.13.84.17 2 c-24-13-84-17.hsd1.il.comcast.net; United States (US)
24.45.36.135 2 ool-182d2487.dyn.optonline.net; United States (US)
24.47.123.214 2 ool-182f7bd6.dyn.optonline.net; United States (US)
24.136.114.234 2 rrcs-24-136-114-234.nyc.biz.rr.com; United States (US)
24.172.55.54 2 fbiconstruction.com; United States (US)
24.204.55.66 2 mail.jtparkerclaims.com; United States (US)
24.248.203.94 2 wsip-24-248-203-94.ks.ks.cox.net; United States (US)
24.248.223.50 2 wsip-24-248-223-50.ks.ks.cox.net; United States (US)
27.74.243.108 2 tsgw.rcasp.se; Vietnam (VN)
34.192.198.19 2 ec2-34-192-198-19.compute-1.amazonaws.com; United States (US)
37.252.129.11 2 ; Switzerland (CH)
40.71.27.108 2 ; United States (US)
40.76.37.25 2 ; United States (US)
40.86.191.167 2 ; United States (US)
40.135.9.233 2 h233.9.135.40.static.ip.windstream.net; United States (US)
45.17.245.230 2 45-17-245-230.lightspeed.hstntx.sbcglobal.net; United States (US)
45.20.208.49 2 45-20-208-49.lightspeed.rlghnc.sbcglobal.net; United States (US)
45.32.160.56 2 45.32.160.56.vultr.com; United States (US)
45.40.139.116 2 ip-45-40-139-116.ip.secureserver.net; United States (US)
45.63.4.229 2 45.63.4.229.vultr.com; United States (US)
46.231.187.166 2 ; United Kingdom (GB)
47.21.46.106 2 ool-2f152e6a.static.optonline.net; United States (US)
47.23.136.187 2 ool-2f1788bb.static.optonline.net; United States (US)
47.146.183.166 2 ; United States (US)
47.180.64.184 2 static-47-180-64-184.lsan.ca.frontiernet.net; United States (US)
50.47.72.226 2 50-47-72-226.evrt.wa.frontiernet.net; United States (US)
50.73.101.155 2 50-73-101-155-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.16.81 2 50-76-16-81-static.hfc.comcastbusiness.net; United States (US)
50.76.63.221 2 50-76-63-221-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.167.3 2 50-76-167-3-static.hfc.comcastbusiness.net; United States (US)
50.76.202.210 2 50-76-202-210-static.hfc.comcastbusiness.net; United States (US)
50.77.83.137 2 50-77-83-137-static.hfc.comcastbusiness.net; United States (US)
50.77.201.132 2 50-77-201-132-static.hfc.comcastbusiness.net; United States (US)
50.79.7.213 2 50-79-7-213-static.hfc.comcastbusiness.net; United States (US)
50.79.105.34 2 50-79-105-34-static.hfc.comcastbusiness.net; United States (US)
50.192.13.145 2 50-192-13-145-static.hfc.comcastbusiness.net; United States (US)
50.192.141.193 2 50-192-141-193-static.hfc.comcastbusiness.net; United States (US)
50.196.247.193 2 50-196-247-193-static.hfc.comcastbusiness.net; United States (US)
50.197.82.185 2 50-197-82-185-static.hfc.comcastbusiness.net; United States (US)
50.198.160.161 2 50-198-160-161-static.hfc.comcastbusiness.net; United States (US)
50.199.237.34 2 50-199-237-34-static.hfc.comcastbusiness.net; United States (US)
50.203.190.178 2 mail.intermediagroup.org; United States (US)
50.205.10.174 2 50-205-10-174-static.hfc.comcastbusiness.net; United States (US)
50.205.117.51 2 50-205-117-51-static.hfc.comcastbusiness.net; United States (US)
50.233.197.222 2 50-233-197-222-static.hfc.comcastbusiness.net; United States (US)
50.240.252.205 2 50-240-252-205-static.hfc.comcastbusiness.net; United States (US)
50.241.38.49 2 50-241-38-49-static.hfc.comcastbusiness.net; United States (US)
50.243.129.194 2 50-243-129-194-static.hfc.comcastbusiness.net; United States (US)
50.248.123.221 2 50-248-123-221-static.hfc.comcastbusiness.net; United States (US)
50.254.34.165 2 50-254-34-165-static.hfc.comcastbusiness.net; United States (US)
50.254.133.245 2 50-254-133-245-static.hfc.comcastbusiness.net; United States (US)
52.5.139.105 2 ec2-52-5-139-105.compute-1.amazonaws.com; United States (US)
52.6.224.229 2 ec2-52-6-224-229.compute-1.amazonaws.com; United States (US)
52.23.118.225 2 ec2-52-23-118-225.compute-1.amazonaws.com; United States (US)
52.26.151.34 2 ec2-52-26-151-34.us-west-2.compute.amazonaws.com; United States (US)
52.39.168.186 2 ec2-52-39-168-186.us-west-2.compute.amazonaws.com; United States (US)
52.70.19.127 2 ec2-52-70-19-127.compute-1.amazonaws.com; United States (US)
52.73.103.93 2 ec2-52-73-103-93.compute-1.amazonaws.com; United States (US)
52.89.217.62 2 ec2-52-89-217-62.us-west-2.compute.amazonaws.com; United States (US)
52.168.20.3 2 RACESA; United States (US)
52.168.86.1 2 RACESA; United States (US)
52.170.39.1 2 ; United States (US)
52.173.17.163 2 ; United States (US)
52.200.66.163 2 ec2-52-200-66-163.compute-1.amazonaws.com; United States (US)
54.83.47.75 2 ec2-54-83-47-75.compute-1.amazonaws.com; United States (US)
54.86.14.226 2 ec2-54-86-14-226.compute-1.amazonaws.com; United States (US)
54.149.137.41 2 ec2-54-149-137-41.us-west-2.compute.amazonaws.com; United States (US)
54.157.197.20 2 ec2-54-157-197-20.compute-1.amazonaws.com; United States (US)
54.173.247.253 2 ec2-54-173-247-253.compute-1.amazonaws.com; United States (US)
54.243.64.201 2 ec2-54-243-64-201.compute-1.amazonaws.com; United States (US)
64.19.195.138 2 64-19-195-138.c7dc.com; United States (US)
64.40.136.36 2 ; United States (US)
64.60.63.18 2 64-60-63-18.static-ip.telepacific.net; United States (US)
64.61.65.67 2 static-64-61-65-67.isp.broadviewnet.net; United States (US)
64.135.85.4 2 mail.mmpusa.com; United States (US)
64.203.121.118 2 static-64-203-121-118.static; United States (US)
65.25.200.33 2 cpe-65-25-200-33.new.res.rr.com; United States (US)
65.26.224.113 2 cpe-65-26-224-113.wi.res.rr.com; United States (US)
65.35.122.111 2 65-35-122-111.res.bhn.net; United States (US)
65.51.130.102 2 41338266.cst.lightpath.net; United States (US)
65.184.92.138 2 cpe-65-184-92-138.sc.res.rr.com; United States (US)
66.103.3.246 2 ; United States (US)
66.161.214.122 2 cvg-partners.static.fuse.net; United States (US)
66.172.199.188 2 static.longlines.com; United States (US)
66.194.51.146 2 66-194-51-146.static.twtelecom.net; United States (US)
66.199.16.130 2 asg.sbc.net; United States (US)
66.207.228.204 2 vancestmed1.intrstar.net; United States (US)
67.52.39.30 2 rrcs-67-52-39-30.west.biz.rr.com; United States (US)
67.135.195.250 2 67-135-195-250.dia.static.qwest.net; United States (US)
67.136.185.218 2 ; United States (US)
67.177.69.207 2 c-67-177-69-207.hsd1.al.comcast.net; United States (US)
67.182.27.250 2 c-67-182-27-250.hsd1.ca.comcast.net; United States (US)
67.199.46.32 2 ; United States (US)
67.210.56.23 2 ; United States (US)
68.10.137.200 2 ip68-10-137-200.hr.hr.cox.net; United States (US)
68.34.50.181 2 c-68-34-50-181.hsd1.mi.comcast.net; United States (US)
68.129.33.18 2 static-68-129-33-18.nycmny.fios.verizon.net; United States (US)
68.198.150.65 2 ool-44c69641.dyn.optonline.net; United States (US)
69.19.187.134 2 69-19-187-134.static-ip.telepacific.net; United States (US)
69.77.156.178 2 69-77-156-178.static.skybest.com; United States (US)
69.87.217.243 2 CLOUD-89T44LGN2; United States (US)
69.125.1.18 2 ool-457d0112.dyn.optonline.net; United States (US)
69.160.54.11 2 WEB2012; United States (US)
69.174.171.150 2 c185915-v3292-01-static.csvlinaa.metronetinc.net; United States (US)
69.193.209.138 2 rrcs-69-193-209-138.nyc.biz.rr.com; United States (US)
70.60.5.210 2 rrcs-70-60-5-210.central.biz.rr.com; United States (US)
70.89.79.211 2 70-89-79-211-georgia.hfc.comcastbusiness.net; United States (US)
70.90.200.250 2 70-90-200-250-albuquerque.hfc.comcastbusiness.net; United States (US)
70.90.212.126 2 70-90-212-126-saltlake.hfc.comcastbusiness.net; United States (US)
70.169.140.124 2 wsip-70-169-140-124.hr.hr.cox.net; United States (US)
70.171.217.25 2 ip70-171-217-25.tc.ph.cox.net; United States (US)
70.182.31.80 2 wsip-70-182-31-80.fv.ks.cox.net; United States (US)
70.182.247.14 2 wsip-70-182-247-14.ks.ks.cox.net; United States (US)
71.43.115.10 2 rrcs-71-43-115-10.se.biz.rr.com; United States (US)
71.95.178.34 2 71-95-178-34.static.mtpk.ca.charter.com; United States (US)
71.125.51.247 2 pool-71-125-51-247.nycmny.fios.verizon.net; United States (US)
71.126.153.21 2 static-71-126-153-21.washdc.fios.verizon.net; United States (US)
71.174.248.106 2 static-71-174-248-106.bstnma.fios.verizon.net; United States (US)
71.186.195.114 2 static-71-186-195-114.bflony.fios.verizon.net; United States (US)
71.189.243.4 2 static-71-189-243-4.lsanca.fios.frontiernet.net; United States (US)
71.191.80.42 2 static-71-191-80-42.washdc.fios.verizon.net; United States (US)
71.207.69.236 2 c-71-207-69-236.hsd1.pa.comcast.net; United States (US)
71.224.178.158 2 c-71-224-178-158.hsd1.pa.comcast.net; United States (US)
72.16.147.58 2 72-16-147-58.customerip.birch.net; United States (US)
72.38.44.180 2 d72-38-44-180.commercial1.cgocable.net; Canada (CA)
72.82.230.95 2 static-72-82-230-95.cmdnnj.fios.verizon.net; United States (US)
72.167.43.200 2 ip-72-167-43-200.ip.secureserver.net; United States (US)
72.174.248.122 2 host-72-174-248-122.static.bresnan.net; United States (US)
72.204.63.192 2 ip72-204-63-192.fv.ks.cox.net; United States (US)
72.215.140.252 2 wsip-72-215-140-252.pn.at.cox.net; United States (US)
72.215.215.20 2 wsip-72-215-215-20.no.no.cox.net; United States (US)
72.227.80.102 2 cpe-72-227-80-102.maine.res.rr.com; United States (US)
72.253.213.131 2 ; United States (US)
73.69.143.242 2 c-73-69-143-242.hsd1.ma.comcast.net; United States (US)
73.71.29.17 2 c-73-71-29-17.hsd1.ca.comcast.net; United States (US)
73.142.239.31 2 c-73-142-239-31.hsd1.ct.comcast.net; United States (US)
73.146.72.35 2 c-73-146-72-35.hsd1.in.comcast.net; United States (US)
73.189.105.76 2 c-73-189-105-76.hsd1.ca.comcast.net; United States (US)
73.208.34.64 2 c-73-208-34-64.hsd1.in.comcast.net; United States (US)
74.92.21.17 2 74-92-21-17-newengland.hfc.comcastbusiness.net; United States (US)
74.93.101.9 2 remote.youthfulinnovations.com; United States (US)
74.116.23.151 2 smoke2.bgglobal.net; United States (US)
74.118.182.77 2 res.anniversaryinn.com; United States (US)
74.143.195.146 2 rrcs-74-143-195-146.central.biz.rr.com; United States (US)
75.146.75.109 2 75-146-75-109-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.146.145.189 2 75-146-145-189-stlouispark.mn.minn.hfc.comcastbusiness.net; United States (US)
75.147.156.185 2 75-147-156-185-naples.hfc.comcastbusiness.net; United States (US)
75.149.28.17 2 75-149-28-17-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.30.201 2 75-149-30-201-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.129.98 2 75-149-129-98-connecticut.hfc.comcastbusiness.net; United States (US)
75.150.153.121 2 75-150-153-121-philadelphia.hfc.comcastbusiness.net; United States (US)
75.151.22.138 2 75-151-22-138-michigan.hfc.comcastbusiness.net; United States (US)
81.149.32.248 2 host81-149-32-248.in-addr.btopenworld.com; United Kingdom (GB)
81.149.160.149 2 host81-149-160-149.in-addr.btopenworld.com; United Kingdom (GB)
81.184.4.81 2 81.184.4.81.static.user.ono.com; Spain (ES)
82.70.235.49 2 mail.o-mills.co.uk; United Kingdom (GB)
82.152.42.172 2 ; United Kingdom (GB)
82.163.78.211 2 deals0.outdoor-survival-deals.com; United Kingdom (GB)
84.253.23.243 2 243.23.253.84.static.wline.lns.sme.cust.swisscom.ch; Switzerland (CH)
89.107.57.168 2 CLOUD-CBNJJIKJU; United Kingdom (GB)
93.174.93.162 2 no-reverse-dns-configured.com; Seychelles (SC)
94.173.101.19 2 fpc88091-dund16-2-0-cust18.16-4.static.cable.virginm.net; United Kingdom (GB)
95.143.66.10 2 cpe-et001551.cust.jaguar-network.net; France (FR)
96.2.4.59 2 96-2-4-59-dynamic.midco.net; United States (US)
96.48.86.169 2 s0106002719d04b85.vf.shawcable.net; Canada (CA)
96.56.31.221 2 ool-60381fdd.static.optonline.net; United States (US)
96.56.105.10 2 ool-6038690a.static.optonline.net; United States (US)
96.80.174.85 2 96-80-174-85-static.hfc.comcastbusiness.net; United States (US)
96.80.253.177 2 96-80-253-177-static.hfc.comcastbusiness.net; United States (US)
96.83.33.185 2 96-83-33-185-static.hfc.comcastbusiness.net; United States (US)
96.83.155.97 2 96-83-155-97-static.hfc.comcastbusiness.net; United States (US)
96.85.147.121 2 96-85-147-121-static.hfc.comcastbusiness.net; United States (US)
96.86.193.203 2 96-86-193-203-static.hfc.comcastbusiness.net; United States (US)
96.87.90.37 2 96-87-90-37-static.hfc.comcastbusiness.net; United States (US)
96.89.250.225 2 96-89-250-225-static.hfc.comcastbusiness.net; United States (US)
96.91.83.141 2 96-91-83-141-static.hfc.comcastbusiness.net; United States (US)
96.91.100.241 2 mail.holidayorg.com; United States (US)
96.91.120.121 2 96-91-120-121-static.hfc.comcastbusiness.net; United States (US)
96.93.179.141 2 96-93-179-141-static.hfc.comcastbusiness.net; United States (US)
96.95.3.53 2 96-95-3-53-static.hfc.comcastbusiness.net; United States (US)
96.248.216.162 2 static-96-248-216-162.nrflva.fios.verizon.net; United States (US)
96.250.18.213 2 pool-96-250-18-213.nycmny.fios.verizon.net; United States (US)
96.254.199.133 2 static-96-254-199-133.tampfl.fios.frontiernet.net; United States (US)
97.64.238.118 2 97-64-238-118.client.mchsi.com; United States (US)
97.74.229.216 2 ip-97-74-229-216.ip.secureserver.net; United States (US)
98.209.200.34 2 c-98-209-200-34.hsd1.mi.comcast.net; United States (US)
100.8.29.162 2 static-100-8-29-162.nwrknj.fios.verizon.net; United States (US)
100.12.162.203 2 mail.comjem.com; United States (US)
104.187.243.229 2 104-187-243-229.lightspeed.lnngmi.sbcglobal.net; United States (US)
104.207.135.1 2 104.207.135.1.vultr.com; United States (US)
107.180.77.25 2 ip-107-180-77-25.ip.secureserver.net; United States (US)
108.20.79.148 2 pool-108-20-79-148.bstnma.fios.verizon.net; United States (US)
108.39.247.102 2 pool-108-39-247-102.pitbpa.fios.verizon.net; United States (US)
108.53.118.53 2 pool-108-53-118-53.nwrknj.fios.verizon.net; United States (US)
108.58.195.45 2 ool-6c3ac32d.static.optonline.net; United States (US)
108.60.201.195 2 ; United States (US)
108.61.251.119 2 108.61.251.119.vultr.com; Australia (AU)
108.207.58.163 2 108-207-58-163.lightspeed.lnngmi.sbcglobal.net; United States (US)
109.169.19.116 2 ; United Kingdom (GB)
122.226.196.254 2 ; China (CN)
128.59.46.66 2 dyn-128-59-46-66.dyn.columbia.edu; United States (US)
131.156.136.114 2 ; United States (US)
132.160.48.210 2 ; United States (US)
144.202.132.50 2 144-202-132-50.baltimoretechnologypark.com; United States (US)
146.255.7.75 2 ; United Kingdom (GB)
148.74.244.26 2 ool-944af41a.dyn.optonline.net; United States (US)
162.17.170.225 2 mail.architecturalsheetmetal.com; United States (US)
162.230.118.128 2 162-230-118-128.lightspeed.sntcca.sbcglobal.net; United States (US)
162.231.82.33 2 adsl-162-231-82-33.lightspeed.irvnca.sbcglobal.net; United States (US)
162.246.155.16 2 ; United States (US)
166.62.43.55 2 ip-166-62-43-55.ip.secureserver.net; United States (US)
172.87.144.170 2 rrcs-172-87-144-170.sw.biz.rr.com; United States (US)
172.95.25.4 2 ; United States (US)
173.8.227.70 2 173-8-227-70-denver.hfc.comcastbusiness.net; United States (US)
173.10.137.213 2 173-10-137-213-busname-washingtondc.hfc.comcastbusiness.net; United States (US)
173.12.152.209 2 mail.bfbarchitects.com; United States (US)
173.13.72.50 2 outbound.oceanedge.com; United States (US)
173.14.78.21 2 173-14-78-21-sacramento.hfc.comcastbusiness.net; United States (US)
173.14.220.253 2 173-14-220-253-atlanta.hfc.comcastbusiness.net; United States (US)
173.26.48.212 2 173-26-48-212.client.mchsi.com; United States (US)
173.48.246.52 2 pool-173-48-246-52.bstnma.fios.verizon.net; United States (US)
173.160.91.10 2 173-160-91-10-atlanta.hfc.comcastbusiness.net; United States (US)
173.161.162.68 2 173-161-162-68-philadelphia.hfc.comcastbusiness.net; United States (US)
173.161.224.209 2 173-161-224-209-philadelphia.hfc.comcastbusiness.net; United States (US)
173.193.164.178 2 b2.a4.c1ad.ip4.static.sl-reverse.com; United States (US)
173.197.34.18 2 rrcs-173-197-34-18.west.biz.rr.com; United States (US)
173.220.18.197 2 ool-addc12c5.static.optonline.net; United States (US)
184.16.110.66 2 ; United States (US)
184.176.201.40 2 aexec.com; United States (US)
184.183.152.219 2 wsip-184-183-152-219.ph.ph.cox.net; United States (US)
185.52.248.40 2 ; Germany (DE)
185.129.148.169 2 ; Latvia (LV)
192.198.250.202 2 rrcs-192-198-250-202.sw.biz.rr.com; United States (US)
199.96.115.98 2 ; United States (US)
204.193.139.81 2 ; United States (US)
206.145.187.193 2 morriselectronics.net; United States (US)
208.38.233.43 2 c187290-03-v3409-static.nmchinaa.metronetinc.net; United States (US)
208.75.244.130 2 mail.aisin-electronics.com; United States (US)
208.105.170.100 2 rrcs-208-105-170-100.nys.biz.rr.com; United States (US)
208.180.181.72 2 208-180-181-72.mdlncmtk01.com.sta.suddenlink.net; United States (US)
209.240.184.73 2 OGKCPIPE.nwol.net; United States (US)
213.109.80.18 2 s-213-109-80-18.under.net.ua; Ukraine (UA)
216.81.103.42 2 ; United States (US)
216.170.126.36 2 ; United States (US)
216.176.177.92 2 ; United States (US)

A new brute force protection platform – Are you up for it ?

brute force protection
I firmly believe there’s a need for good brute force protection products. The ones currently available simply aren’t good enough for larger corporate needs or Cloud Service Providers really or they’re too expensive and complicated to use..

Some possible improvements are already out there for some of them such as Cyberarms going Open Source. At the time I helped start up Syspeace, I would say that Cyberarms was the main competitor and I was really surprised and sad they eventually decided to end their business.

With that said, there’s a good foundation using their code and improving it and modernizing it because there’s a lot of critical things missing in there in order to actually be useful for enterprises the way I see it. Actually, quite a few and there needs to be new functionality in there too. Not really disclosing my thoughts here about it though.

The ways to go about this, the way I see anyway, is to …

Open Source and brute force prevention

… sit down and have a close look at for instance the Cyberarms code and help out as an Open Source developer and try to get a product that’s free and beneficial for everyone.
The downside to that is, as with most Open Source, that if you’re a system administrator and something doesn’t work, you might want to have access to an actual support, helpdesk and getting help in troubleshooting. You also may want to be assured that development will continue.
You simply don’t have the time to search forums or read through the code to try and figure out what’s wrong or how to improve it and often enough, system administrators aren’t developers. I know I’m not very good at writing code myself anyway.

There’s also the risk of people coding losing the interest of an Open Source project, since they don’t make any money out of it and eventually start feeling they’re just wasting free time, resulting in that the product will eventually just die or stay stagnant and eventually become obsolete.

Creating a new brute force protection platform as a business idea

The second path would be to start up a new project with developers, marketing people and investors to actually build a product that is useful for enterprises and cloud providers and so on. Such a product needs to have quite a lot of functionality added compared to the ones that are already out there but with the right people and effort, it can be done. I’m absolutely sure of it.
These new ideas and functionalities are probably best provided by people who actually deal with these questions on a day to day basis i.e System Administrators, Server Managers and so on…

As you may or may not know I was previously deeply involved in the creation and startup of Syspeace.
I had the original idea for a brute force protection software and was a part of most aspects it but unfortunately we just couldn’t agree on what was reasonable on the business side of it once our initial agreement ended so I decided to go with the “live and let die” policy.
It basically just took too much energy from me to haggle and not getting anywhere really and frankly, the project had become stagnant the way I saw it so consider this plan B.

The future then? Can it be made viable as a business idea?

Basically what I’m driving at is this, are there the right people out there? Anyone up for starting up a new project and try to create an even better brute force protection and security platform with me?
I have already had a few feelers with other companies and there is an interest to be part of such a project. The best scenario would probably be to get in touch with a development company that already has developers and want to broaden their portfolio with a security product but on the other hand, it can be a very small staff of people doing it too.

I’m not opposed to investing myself also and since I know the finances behind such a product and what it can generate I have a reason to believe in it, both technically and businesswise.
Remember, the market is worldwide. It’s not geographically confined and that’s why I’m actually writing this in English, although for me personally, the startup of such a project would be easier if it were in Sweden. I’m. just thinking practically.

I’ve already done it once and I believe it can be done again but even better. I’ve already seen the mistakes so to speak.
Of course, there are other ways too, such as Crowdfunding and FundedByMe and all that but I firmly believe not only do you have to have the finances settled but also be sure to have the right people involved, willing to invest their time and focus.

At the moment it’s just a thought from my side and nothing has really taken any shape (apart from registering a domain for it really) but I would hate to throw away all the ideas, knowledge and experience I have around such a project. I think I have a pretty good inkling of budgets, the business side and of course the technical aspects and functionality of what such a product should be.

So, if you’re up for it, just contact me or give me call and say hi and we’ll take it from there?

I think the time would be more or less now because I’m certain there’s stuff going on in other places too so in order to get a product up and running and get market shares, this would be the time to do it.

Ditt namn (obligatorisk)

Företag

Din epost (obligatorisk)

Telefon

Ämne (obligatorisk)

Ditt meddelande (obligatorisk)

När och hur vill ni bli kontaktade?
TelefonE PostPersonligt möteFörmiddagEftermiddagKväll

Vad gäller saken ? Välj en eller flera områden om du vill

Från när behöver ni hjälp ?

Skriv in nedanstående text för verifiering (obligatorisk)

captcha

 

Mitigation strategies for securing server environments

This is a good start for mitigation planning for various attack scenarios.

I did not compile this list myself and the original can be found here . I might add a few thing in here but is very good strat indeed. Well done
https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Den här listan är en väldigt bra början för att planera och förhindra olika typer av attacker och hantera säkerhetsaspekter från olika synvinklar.

För hjälp med frågor som dessa, kontakta mig gärna här

 

backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace mitigation strategies

MITIGATION STRATEGIES

Mitigation strategies summary

Relative security effectiveness rating Mitigation strategy Potential user resistance Upfront cost (staff, equipment, technical complexity) Ongoing maintenance cost (mainly staff)
Mitigation strategies to prevent malware delivery and execution
Essential Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Medium High Medium
Essential Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Low High High
Essential Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Medium Medium Medium
Essential User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Medium Medium Medium
Excellent Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. Low High Medium
Excellent Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. Medium Medium Medium
Excellent Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. Medium Medium Medium
Excellent Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections. Medium Medium Low
Excellent Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Low Low Low
Very good Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high-availability) data. Low Medium Medium
Very good Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD. Medium Medium Low
Very good Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Very good Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices. High High Medium
Very good Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. Low Low Low
Good User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. Medium High Medium
Limited Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Limited TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. Low Low Low
Mitigation strategies to limit the extent of cyber security incidents
Essential Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Medium High Medium
Essential Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Low Medium Medium
Essential Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository. Medium High Medium
Excellent Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. Low Medium Low
Excellent Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties. Low High Medium
Excellent Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases. Medium Medium Low
Very good Non-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files. Medium Medium Medium
Very good Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic. Low Medium Medium
Very good Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. Medium Medium Medium
Very good Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. Medium Medium Medium
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity. Low Very
high
Very
high
Very good Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence. Low Medium Medium
Very good Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option. Low Medium Medium
Very good Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. Low Very
high
Very
high
Limited Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. Low High Medium
Limited Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. Low High Medium
Mitigation strategies to recover data and system availability
Essential Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Low High High
Very good Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. Low High Medium
Very good System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. Low High Medium
Mitigation strategy specific to preventing malicious insiders
Very good Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. High High High

 

 

For questions or help within these areas, please feel free to contact me here

Syspeace vs Cyberarms – Bruteforce prevention for Windows Servers

IT konsult backuper, It konsult säkerhet, IT konsult syspeace, IT konsult återstartsplaner, It konsult Active DirectoryA few years back I had an idea about a Host Intrusion Prevention System for Windows servers. I did try to write a proof of concept myself and I did have a pretty good idea of how it should work and what mistakes to avoid. I ran into a Swedish development company by coincidence and I told them about my idea, showed them som proofs of concepts and we decided to create this product together and that’s what eventually became Syspeace.

We had a perfectly fine collaboration for a few years but sad to say I’m no longer associated with Syspeace. In short , after an intial contract for 3 years  for a certain percentage of gross sales , they suddenly decided that I wouldn’t get any money whatsoever for any sales of Syspeace after that. Simple as that. Yay me. Not really what I had in mind when presenting the idea and putting that work into it and still, stupidly enough , I kind of was under the impression that we’d continue the same way as the first contract was written, both practically and in spirit.. Yep. Admittedly bitter about it. I loved the idea, I love the product (although there are improvemens that need to be made in my humble opinion. The idea is even good enough to actually bring some revenue and if we would’ve stayed on terms, I would’ve been perfectly fine. Still, lesson learned. Don’t be so trusting.

Anyaway, this post isn’t about that really. Not getting into how I feel about that but I’m sure you can imagine. There’s another post that kind of relates to that here and my view on a product such as Syspeace.

Anyway, a German competitor called Cyberarms with their product IDDS did however actually manage to release their product just a couple of months prior to us. Our product was still in a testing phase at the time. Out of loyalty and so on, of course I stuck to using Syspeace but there were always a few things that bothered me.
For instance, when running SSL on RDP connections, the eventid 4625 in the Windows Securitylog didn’t record the source IPaddress, thus making it impossible for Syspeace to block anything. Using SSL on RDP connections and so on makes stuff fareasier if you’re hosting Terminal Servers (Remotdesktop Servers and RemoteApp servers) in regards to network security, error messages to clients and so on. It just helps you out a lot having valid SSL certificates.

Syspeace worked perfectly fine for blocking attacks when the source IP address was recorded but otherwise not.
There are a few workarounds and I have written about them earlier but none of them are really good and there are pros and cons to them. This lack of functionality (meaning Syspeace not blocking all attempts but merely the ones containing the source IP address) was always a big problem and it was intended to be fixed but they never really got around to doing so.
I’m sure they will but it has taken a long time though.

As of December 2016, Cyberarms decided to release their software as Open Source (my understanding is that they couldn’t find new investors for continuing but I don’t know really ) so of course I got curious and decided to take it for a spin.

The blocking works fine. It blocks IP addresses with their SSL/TLS agent perfectly fine and it’s free to use so why not use it?

Well. A few things to consider here though and you really might want to think about them before implementing Cyberarms IDDS on larger scale.

Syspeace vs Cyberarms

First of all , the notification email you get from Cyberarms contains far too little information for it to be useful in a datacenter environment or at a Cloud Service provider. If you’re simplt protecting your PC at home, sure but if your’re mmanaginfg a larger server environment it will become a nightmare.

If you get an email simply saying “The IP address xxx.xxx.xxx.xxx has been locked” and you get a few hundred of those, it’s not very useful to you as a sysadmin I’m afraid.

You need to quickly be able to see Geopgraphical information and the login name used in order to know whether it’s an actual attempt to use valid usernames and access data or if it’s just an automated “background noice attack”. With that said, do not underestimate those background nice attacks since they do use up resources like CPU and RAM on your servers. They can also be an attempt to hide other kinds of hacking attacks simply by “hiding in the noice”.

Another thing that Cyberarms lacks is an automatic “Reset on success” feature which in essence means that if you have a customer connecting to your services from behind a firewall and someone at the customer side mistypes their password, the IP address will be blocked. Works as designed in both Cyberarms and Syspeace.

In Syspeace though , there is a default mechanism for also keeping track of succesful logins and with some builtin logic, actuallynot banning the IP address if someone else succeeds with their login attempt from behind that same firewall. The toought behind it is of course to minimize false positives and hopefully not blocking your customers from your services. It’s not foolproof but it works well enough.

In Sypeace, the rules you can set are also more flexible including parameters such as a time window. This is very useful for you to catch “slow grinding” attempts meaning hackers that want to stay under the radar for products such as Syspeace and Cyberarms.

Cyberarms does not have access reports built in to it like it’s built into Sysepace which from time to time can be very useful for a sysadmin.

When you starting up Cybrarms intiially, no agents are activated by default so there’s more of a “how-to” tip for you.

Cyberarms doesn’t not support Windows Server 2003, while Syspeace does.

Syspeace does have an unfortunate built in flaw at the moment making it’s database grow above it’s limit of 4 GB in some scenarios but I’m sure that will be sorted too.
Whether Syspeace (or Cyberarms for that matter) would work on Nano installations and GUIless servers is another quiestion. My guess is that they bort need to be rewritten. None of them support a central managemant interface wich would be nice to have so you don’t have to RDP yourself to each server to make changes. I’m sutre there will be such a feature in either on of them though.

Still, Cyberarms does a good job at finding attacks and here’s how I’ve started using the two in conjunction.

In all honesty, my dream scenario would have been for the two to join forces, getting the best from each product and build a great product together. In fact, I’m sure an even greater product can be built for these things and and adjacent things  so if anyone’s up a for it, I’m game.I have quite a few ideas for new functionality and features for such a product already..or who knows,I might even end up being a part of the Syspeace team again.

Since IDDS is now Open Source I guess I could sit down and amp it up with the features I want to have in it but truth told, I’m not a good developer really. I have ideas and I know how it should work but getting to the actual coding would just take to much time for me.

Anyway … Here’s how I’m using both of them at the same time for now anyway
I have the set the block rules higher in Cyberarms than in Syspeace, therefore giving Syspeace the chance to do the initial blocking and getting better emails sent to me.

Below is an example of an email alert sent by Syspeace.

Blocked address 182.184.78.244 (SERVER-C7BF2B28) [Pakistan] 2017-02-20 10:10:00 Rule used:
Type of block: Windows login
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 04:00:00
Previous observations of this IP address:
2017-02-20 06:09:59 *****\administrator
2017-02-20 06:09:57 *****\administrator
2017-02-20 06:09:55 *****\administrator
2017-02-20 06:09:52 *****\administrator
2017-02-20 06:09:50 *****\administrator

I’ve set Cyberarms to block after a higher number of intrusion attempts than Syspeace , getting it to catch those SSL/TLS

attacks since Syspeace can’t handle them at the moment.

Below is an example of the alert sent from Cyberarms.
Client with IP address 155.207.18.189 was hard locked

As you can see, the Cyberarms email doesn’t really provide me with any useful information as a sysadmin meaning for me to actually deal with it, I need to manually find out from where the attack originated, what username was used in order to decide whether it’s serious or not. Of course I could probably write something in .Net utilizing the Cyberarms logfile to get better notifications with more information but that shlould be built into the software really looking more like the Syspeace alerts.

The Syspeace notification isn’t prefect either but it is far better. I would also like to see what port was targeted and what process was targeted, i.e the running .exe.
That would be a quicker way for me as a Sysadmin to determine what’s really going on.

They both have Daily Reports and Weekly Reports so I thought I’d also incklude one of each from the same server and the same time window. I think you’ll noticed the difference and ralize why the SSL/TLS functionality is so crucial to have in place

Syspeace Report for week 2017-02-13 – 2017-02-19

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
23.236.77.157 1 XS2323677157; United States (US)
47.34.65.227 1 47-34-65-227.dhcp.stls.mo.charter.com; United States (US)
52.14.84.148 6 ec2-52-14-84-148.us-east-2.compute.amazonaws.com; United States (US)
73.37.131.61 1 c-73-37-131-61.hsd1.mn.comcast.net; United States (US)
89.247.148.40 1 i59f79428.versanet.de; Germany (DE)
119.59.80.66 1 119-59-80-66.rdns.afghan-wireless.com; United States (US)
151.54.163.83 1 ; Italy (IT)
183.250.25.70 1 ; China (CN)
185.94.99.245 1 ; Iran, Islamic Republic of (IR)
189.26.112.234 2 corporativo.gvt.net.br; Brazil (BR)
193.34.9.171 1 nlink.nesso.ru; Russian Federation (RU)
202.104.33.34 1 ; China (CN)
203.146.142.62 1 ; Thailand (TH)
213.87.96.182 1 host.mrdv-1.mtsnet.ru; Russian Federation (RU)
213.136.87.8 1 vms8.riseforce.net; Germany (DE)
222.184.121.194 1 ; China (CN)
222.209.233.89 1 89.233.209.222.broad.cd.sc.dynamic.163data.com.cn; China (CN)

//  I Have removed the hourly breakdown opart from this report here //

Generated 2017-02-20 00:04:58 for machine ***.****.** by Syspeace v2.5.2.0

 

Cyberarms Weekly Report
Week of 2017-2-13
Installation Information
Server: ****
Events per Agent
Agent name Intrusion attempts Soft locks Hard locks
TLS/SSL Security Agent 1238 215 82
Windows Base Security Agent 133 0 1
Total 1371 215 83
Intrusion attempts by IP address
Client IP Intrusion attempts
1.192.144.148 1
104.43.19.172 1
118.69.171.47 1
146.185.239.117 1
149.3.47.190 1
169.50.7.234 1
200.2.192.186 1
207.225.237.110 1
208.44.83.36 1
209.249.81.231 1
211.72.12.36 1
212.175.49.50 1
212.92.127.126 1
213.89.246.166 1
217.208.101.73 1
217.23.11.249 1
217.8.84.31 1
223.25.241.88 1
37.0.20.79 1
39.109.11.209 1
5.150.237.244 1
50.193.208.177 1
50.203.20.67 1
54.243.236.34 1
68.44.212.144 1
70.169.12.6 1
75.71.25.220 1
78.188.193.185 1
8.21.216.2 1
80.82.77.34 1
82.80.252.200 1
83.137.55.249 1
85.105.245.147 1
88.99.8.164 1
91.121.64.15 1
91.200.12.75 1
91.215.120.225 1
92.51.70.248 1
94.43.33.178 1
96.80.87.202 1
98.101.132.98 1
104.185.131.1 2
12.201.134.132 2
173.226.255.254 2
185.56.82.58 2
197.242.149.19 2
208.184.124.150 2
216.162.88.19 2
216.236.16.89 2
217.34.0.133 2
5.175.0.111 2
63.253.50.210 2
66.229.43.193 2
68.15.114.164 2
76.71.75.79 2
83.69.223.227 2
85.72.58.154 2
96.80.60.1 2
98.112.92.39 2
108.242.76.81 3
178.208.128.131 3
206.252.196.162 3
210.109.189.218 3
217.34.0.135 3
75.127.164.214 3
90.168.232.247 3
108.60.96.19 4
117.218.128.22 4
12.30.90.162 4
208.78.220.145 4
208.81.109.6 4
23.102.44.152 4
38.88.150.106 4
40.85.92.80 4
52.187.36.243 4
52.228.35.94 4
52.228.40.215 4
52.228.42.136 4
66.64.166.178 4
66.84.140.17 4
91.183.212.73 4
144.139.207.212 5
212.83.168.244 5
213.136.87.8 5
216.162.88.62 5
217.148.113.118 5
217.91.224.26 5
222.184.121.194 5
23.235.162.34 5
23.236.77.157 5
52.228.46.46 5
67.55.103.188 5
73.37.131.61 5
85.93.93.116 5
89.30.240.164 5
98.103.178.186 5
119.59.80.66 6
183.250.25.70 6
185.94.99.245 6
189.26.112.234 6
202.104.33.34 6
203.146.142.62 6
212.170.198.61 6
213.87.96.182 6
222.209.233.89 6
46.185.117.106 6
89.247.148.40 6
108.58.0.234 7
109.73.46.130 7
12.199.176.194 7
121.161.141.239 7
151.54.163.83 7
155.133.82.102 7
159.122.106.114 7
159.253.26.77 7
169.50.22.186 7
185.130.226.42 7
185.93.183.218 7
185.94.193.75 7
190.145.28.67 7
193.34.9.171 7
193.86.185.50 7
198.23.210.133 7
199.167.138.110 7
201.161.36.162 7
201.18.18.151 7
211.52.64.52 7
213.136.79.237 7
218.60.57.131 7
27.254.150.30 7
35.156.247.241 7
35.157.110.187 7
47.88.33.114 7
5.122.136.4 7
5.196.215.194 7
59.175.128.108 7
64.110.25.6 7
69.166.130.134 7
79.120.40.185 7
83.110.74.36 7
84.55.94.211 7
89.185.246.67 7
89.185.246.79 7
89.185.246.95 7
91.218.112.173 7
94.102.51.124 7
94.107.233.189 7
94.142.142.156 7
121.175.229.89 8
125.227.100.10 8
141.255.188.47 8
155.133.82.50 8
185.109.255.12 8
185.109.255.13 8
213.124.64.27 8
31.44.191.8 8
47.34.65.227 8
47.90.16.194 8
52.233.26.114 8
62.210.244.44 8
65.61.102.251 8
76.70.18.47 8
80.82.79.228 8
83.136.86.179 8
104.160.176.45 9
109.228.26.93 9
114.34.79.103 9
116.125.127.101 9
170.161.62.42 9
172.245.222.8 9
173.10.107.141 9
173.74.198.161 9
178.159.36.150 9
185.159.145.26 9
194.61.64.252 9
198.27.119.249 9
207.233.75.39 9
212.86.108.191 9
23.249.224.189 9
31.145.15.3 9
37.46.255.63 9
37.75.11.86 9
40.139.95.146 9
5.135.7.98 9
5.39.222.19 9
50.243.143.129 9
52.174.36.251 9
52.187.37.144 9
52.232.112.92 9
58.221.59.22 9
78.154.13.222 9
91.211.2.20 9
95.154.22.236 9
144.130.57.185 10
50.247.156.86 10
74.95.221.25 10
194.17.59.90 11
93.174.93.162 11
118.34.230.5 12
213.179.6.49 12
43.254.126.10 12
103.54.250.94 13
174.4.72.229 13
146.0.74.126 14
203.128.240.130 14
5.39.223.166 14
2.139.204.18 17
74.203.160.89 17
93.115.85.228 17
185.159.36.122 18
195.154.52.156 18
24.249.158.60 18
31.184.197.6 18
52.14.84.148 19
185.70.186.140 21
119.145.165.86 23
91.211.2.109 54
Total 1371
Soft locks by IP address
Client IP Soft locks
108.58.0.234 1
109.73.46.130 1
12.199.176.194 1
12.201.134.132 1
121.175.229.89 1
144.130.57.185 1
155.133.82.102 1
155.133.82.50 1
159.122.106.114 1
159.253.26.77 1
169.50.22.186 1
173.226.255.254 1
185.130.226.42 1
185.93.183.218 1
185.94.193.75 1
190.145.28.67 1
193.86.185.50 1
197.242.149.19 1
198.23.210.133 1
199.167.138.110 1
201.161.36.162 1
201.18.18.151 1
208.184.124.150 1
211.52.64.52 1
213.136.79.237 1
216.162.88.19 1
217.34.0.133 1
218.60.57.131 1
27.254.150.30 1
35.156.247.241 1
35.157.110.187 1
43.254.126.10 1
47.88.33.114 1
47.90.16.194 1
5.122.136.4 1
5.196.215.194 1
59.175.128.108 1
62.210.244.44 1
63.253.50.210 1
64.110.25.6 1
66.229.43.193 1
68.15.114.164 1
68.44.212.144 1
69.166.130.134 1
76.71.75.79 1
79.120.40.185 1
83.110.74.36 1
84.55.94.211 1
89.185.246.67 1
89.185.246.79 1
89.185.246.95 1
91.218.112.173 1
93.174.93.162 1
94.102.51.124 1
94.107.233.189 1
94.142.142.156 1
96.80.60.1 1
98.112.92.39 1
104.160.176.45 2
108.60.96.19 2
109.228.26.93 2
114.34.79.103 2
116.125.127.101 2
12.30.90.162 2
141.255.188.47 2
146.0.74.126 2
170.161.62.42 2
172.245.222.8 2
173.10.107.141 2
173.74.198.161 2
178.159.36.150 2
185.109.255.12 2
185.109.255.13 2
185.159.145.26 2
194.61.64.252 2
198.27.119.249 2
2.139.204.18 2
206.252.196.162 2
207.233.75.39 2
208.78.220.145 2
208.81.109.6 2
212.86.108.191 2
213.124.64.27 2
217.34.0.135 2
23.102.44.152 2
23.249.224.189 2
31.145.15.3 2
31.44.191.8 2
37.46.255.63 2
37.75.11.86 2
38.88.150.106 2
40.139.95.146 2
40.85.92.80 2
5.135.7.98 2
5.39.222.19 2
5.39.223.166 2
50.243.143.129 2
50.247.156.86 2
52.14.84.148 2
52.174.36.251 2
52.187.36.243 2
52.187.37.144 2
52.228.35.94 2
52.228.40.215 2
52.228.42.136 2
52.232.112.92 2
52.233.26.114 2
58.221.59.22 2
65.61.102.251 2
66.64.166.178 2
66.84.140.17 2
78.154.13.222 2
80.82.79.228 2
83.136.86.179 2
91.211.2.20 2
95.154.22.236 2
118.34.230.5 3
185.70.186.140 3
24.249.158.60 3
119.145.165.86 4
185.159.36.122 4
195.154.52.156 4
31.184.197.6 4
93.115.85.228 4
91.211.2.109 12
Total 215
Hard locks by IP address
Client IP Hard locks
104.160.176.45 1
104.43.19.172 1
108.60.96.19 1
109.228.26.93 1
114.34.79.103 1
116.125.127.101 1
118.34.230.5 1
118.69.171.47 1
119.145.165.86 1
12.201.134.132 1
12.30.90.162 1
170.161.62.42 1
172.245.222.8 1
173.10.107.141 1
173.226.255.254 1
173.74.198.161 1
178.159.36.150 1
185.159.145.26 1
194.61.64.252 1
197.242.149.19 1
198.27.119.249 1
2.139.204.18 1
200.2.192.186 1
207.225.237.110 1
207.233.75.39 1
208.184.124.150 1
208.78.220.145 1
208.81.109.6 1
209.249.81.231 1
212.86.108.191 1
216.162.88.19 1
217.34.0.133 1
217.34.0.135 1
223.25.241.88 1
23.102.44.152 1
23.249.224.189 1
31.145.15.3 1
37.46.255.63 1
37.75.11.86 1
38.88.150.106 1
40.139.95.146 1
40.85.92.80 1
5.135.7.98 1
5.39.222.19 1
50.193.208.177 1
50.203.20.67 1
50.243.143.129 1
50.247.156.86 1
52.174.36.251 1
52.187.36.243 1
52.187.37.144 1
52.228.35.94 1
52.228.40.215 1
52.228.42.136 1
52.232.112.92 1
54.243.236.34 1
58.221.59.22 1
63.253.50.210 1
66.64.166.178 1
66.84.140.17 1
68.15.114.164 1
78.154.13.222 1
8.21.216.2 1
91.211.2.20 1
93.115.85.228 1
95.154.22.236 1
96.80.60.1 1
98.101.132.98 1
98.112.92.39 1
185.159.36.122 2
195.154.52.156 2
31.184.197.6 2
52.14.84.148 2
91.211.2.109 6
Total 83
To configure reporting options, please use the IDDS administration software on your server.

With that said, I would recommend people using both of them in order to minimize brute force and dictionary attacks against Windows servers.

Should you need assistance or have questions, please feel free to contact me here

Securing your datacenter – Physical aspects

Securing your datacenter - Juha Jurvanen JufCorp AB

A basic guide to securing your datacenter- part 1

This blog post is intended only as a basic guide to securing your datacenter and it’s a repost with some new stuff added into it. I also wrote a couple of follow ups to it that I will repost later.

It is not intended to be the gospel of security since, well.. let’s be honest, there is no such thing as absolute security.

As an example, in Sweden there was a case where a computer was locked in a vault, with no network access whatsoever and only a few people had access to it and still, it leaked information to foreign countries. Yes . a computer controlled by the military.

Absolute computer security is a myth and a beautiful dream. With that said, system administrators can still do a lot to make more difficult to access data and prevent attacks and sabotage to their systems.
Let’s start off with physical aspects .

The actual georgraphic location

Where is your server actually located and who has physical access to it?

Resetting administrator passwords or root passwords

Once you gain physical access to a sever, there are numerous way of accessing the data. The root password or Active Directory Domain Administrator password or NDS Admin password can be easily reset (yes, the sentence “easily reset” is used loosely) with a USB stick and booting the server. Have look a at for instance HIren’s Boot CD, Burglar for NDS or just play around with Google and search for terms such as “Reset administrator password”, “decrypt password” and so on .
You’ll be amazed when you realize how easy it actually is. Personally, I always carry with me some USB stick that enables me to boot up any system and “have my way with it”
So, we need to secure the server from outside access. The data center must be protected with card keys, cameras and access control. We need to who and why they are in the data center in the first place.For instance, a janitor or cleaning staff tends to have complete access due to what they do. Many companies hire outside help to get these kinds of jobs done.

Sabotage and disrupted data services

If I wanted to gain access to server, I would try to infiltrate one of those subcontractors to get a job as a let’s say janitor, and try to gain access to the data center somehow and from there, I can basically do what ever I wanted with the servers.
Maybe my goal wouldn’t be to steal data but to kill the data operations by corrupting the filesystems on the servers (for instance just “piping” data into various files from command prompt or hding files behind other files ), randomly switch disks on RAID systems or just put small holes in network cables to cause network errors, trigger an EMP in the data center and so on .
There would be numerous ways to disrupt the data operations, once i gained access to the data center or servers room.

Information theft

If I’m out to steal data, I would probably not target the servers themselves but instead I’d start looking for backup tapes or backup disks. Far too many companies have their backups in the same location as the servers themselves and since the backups usually are not encrypted , I’d go for stealing a complete backup set, go home and start doing a scan of the tapes to figure out what backup software was used and then do a complete restore of it all.
The backups are most likely to contain the data I’m after, although probably a maximum of 24 hours old but from them I can gain access to all kinds of information about the operations and crack administrative passwords for the server systems and so on . In the comfort of my own data center. or my couch.
This way would of require some skill of Disaster Recovery scenarios and how to get data back from backups but I’m fairly sure I’m not he only one in the world who has the expertise in those matters.

Backups are always a weak point from several aspects.

You need to know who has access to them , at all times.
If you are company that for instance have your backups shipped to another location on a daily basis or weekly, you need to know that people handling them haven’t been compromised. It wouldn’t take that long for anyone with the proper skills do clone your tapes or disks en route to their destination and you would have no way of telling they’d been cloned. In that scenario, all of your critical data would be in the wild, without you actually knowing it.

If you are using any kind of online backup service, remember to choose your encryption password wisely and be extremely restrictive with who has the password. A lot of backup software do not let you change the encryption password without doing the first backup all over again, thus doubling your usage of space and your costs.
Still , I highly recommend you use an encryption password for several reasons.
If you don’t use it, it’s just pure laziness and fear of administrative hassle and that’s just not an excuse. The risk of people at your online backup provider being able to access your data is of course also an obvious risk. Do you know these people and how could you be absolutely certain that they aren’t poking around in your data and maybe giving it to your competitors?

If you are thinking about online backups there are a few very essential questions you should ask yourself but we’ll get back to that later in another post.
Do not use the same encryption password as you have for Root / Administrator / Admin . That´s just crazy talk. Use a password generator to create a unique password. This is also very much valid for tape backups or backups on NAS / disk. Always encrypt your backups with password and be very, very restrictive with who has the password.

If an employee quits your company or an outside consultant quits his project and he / she has had knowledge of the password, change it.

If you’re doing a planned Disaster Recovery test for instance, change the administrative passwords right after the DR test , thus not enabling anyone to reuse what they’ve found out during the test
During the actual DR test, you should be there and be the one that actually types in the encryption password for the backups, not any outside technicians or consultants , not even the online backup service provider or your Disaster Recovery Service Provider. You , and you alone should be the one that has those passwords.
I’ll will return to backup questions and stuff regarding DR plans and so further down the line in some upcoming blog post
So, the conclusion is, always know who and why people are in proximity of your servers and NEVER let anyone be there alone without supervision and here’s a few more pointers.

A short cheatsheet for datacenters

  1. Always have you data center locked and secured from unauthorized access, If you have the means, also have it secured against an EMP attack from the outside. Of course, I haven’t even touched the subjects but be sure your data center has all the necessary fire prevention/extinction equipment in place, UPS backups and , if possible, also an outside source for generating current in case the UPS or battery runs out of current. There should also be a system in place for protecting you servers against spikes in current.
    Be sure to know where water pipes are running in the building so you don’t place your server directly underneath one.
  2. Don’t keep cardboard or any other kind of flammable materials in the data center. Be sure to take them with you when you’ve set up a new server or switched disks. Don’t be lazy. The cost of laziness can be extreme.
  3. In the data center, always have your servers locked in cabinets that requires keys and access card to gain physical access to keyboards and stuff. Also remember to protect the cabling and the back of the servers! Never have a server logged on the console. Be sure to have all cabling to the and from the firewall and the internet access secured.
  4. If you’re “expecting company” i.e. external consultant and so on, be sure to think abut NOT having different kinds of network maps, administrative passwords and different kinds of information in plain sight for anyone to see. I’ve seen it hundreds of times, the IT department having their entire IT operations and information of their systems on white boards or on print on documents next to their workstations. It’s very quick and easy to take a picture of it with a cell phone and once you understand the infrastructure you can also start exploring weak points in it.
    Sure , it makes their lives easier but as one might gather, it also makes the life of the attacker easier. Knowledge is a powerful weapon, especially when it comes to data protection
  5. Don’t have software laying around in the data center with software keys and stuff on them . All it takes is a mobile phone for someone to coy your license keys thus possibly putting you in an awkard situation having to explain to Microsoft for instance how come that your Volume License keys are a bit too easy to find on Piratebay, thus putting you n the risk of your licenses becoming invalid and bringing your server operations to a halt , or at least a shoer disruption.
  6. Know where your backups are, at all times. Have them encrypted. If using online backup services, be sure to use an encryption key and , if possible, be sure to have restrictions on the online backup service providers end on to and from where backups and restores are allowed
  7. Do not allow mobile phones in the data center due to the risk of people photographing your equipment or software license keys or using the mobile phones to copy data via USB cables and stuff.
  8. If possible, disable any USB ports on your servers. This can be done in the BIOS (and of course also have a sysmtem password for accessing the BIOS, a unique one for each server ) or you can physically kill it by putting glue or semothing in there (I haven’t tried that myself so do try at your own risk .. )
  9. If you are sharing a data center with others, there is no need for you to have your company logo or anything revealing the servers are yours. Keep it as anonymous as possible. There is also no need for you to tell anyone where your servers are physically located (although it can be fairly easy for anyone to fin out using traceroute commands and so on ),
  10. Be sure to have a Disaster Recover Plan (DRP ) / Business Continuity Plan (BCP) if your site is compromised or an accident should occur. Also in this case, treat the secondary DR location as mission critical data. Far too often, the secondary site is forgotten and poorly updated.
  11. Once again, do not underestimate the powers of social engineering. Although it’s not hacking in the usual sense, it’s merely good acting but it can still be as harmful as I’m trying to point out here

So, there’s a few tips anyway and that’s just the start really. It’s not a complete recipe for securing your physical environment and I’m sure I’ve missed out loads of stuff but it’s a start anyways.

I hope you you liked this post and I’d love to hear you thoughts on it and if you want me to write a few others on the matters of securing your server operations, I was thinking in the lines of brute force protection, change management, 0day attacks, certificate management , password policies, protecting web servers and so on , You get the picture 🙂

// Juha Jurvanen

Contact me

Senior consultant in backup, IT security, server operations and cloud

#cybersecurity How to block a brute force attacks against Windows Servers, #MSExchange, Remote Desktop and more

Syspeace - intrusion prevention for Windows servers

How to block a brute force attack against Windows Servers, Exchnage Server, remote Desktop

If your server or datacenter is targeted by a brute force attack a.k.a dictionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.

However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 6,5 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Server including the webmail (OWA) and SMTP connectors, Citrix, Sharepoint,SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not constantly monitoring logfles.

On this blog, https://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

By Juha Jurvanen