Archives for intrusion prevention for windows servers

Säkerhet på Windows Server – uppdaterad

Grundläggande säkerhet på Windows server – med lite nya länkar osv

backup disaster recovey kontinuitetsplaner IT säkerhet molntjänster syspeace

Det här inlägget är tänkt som en slags grundläggande “checklista” när man sätter upp säkerhet på Windows Server vid nyinstallation och driftssätting.

Kortfattat behövs alla saker i den här listan som ett minimum för att uppnå i vart fall en grundläggande säkerhet på Windows server.
Tyvärr kommer servern ändå inte vara fullständigt skyddad även om du följer alla steg. 

Absolut IT säkerhet finns helt enkelt inte men det här är i vart fall en lista för att göra ett antal grundläggande inställningar och steg.

 

Installerade programvaror

1. Se till att alla progranvaraor är uppdaterade med senaste säkerhetsuppdateringarna. Det här gäller operativsystemet, Exchange, SQL men även Adobe, Java och allt annat som finns installerat. Det här minskar risken för att råka ut för s.k. exploits som utnyttjar sårbarheter i programvaror. Kika på t.ex. PDQeploy som jag tycker funkat bra i större miljöer för distribution. 

Även F Secure har en Software updater som fungerat bra.
Det skyddar dock inte mot en riktig Zero Day attack dvs när en sårbarhet blivit publikt känd men leverantören av programmet ännu inte släppt en uppdatering som avhjälper felet.

För dem finns egentligen inget annat att göra än följa olika typer av säkerhetskanaler, läsa rekommendationer och hålla sig uppdaterad.

Antivirus

2. Se til att ha ett väl fungerande men inte allt för resurskrävande antivirus på samtliga system. Själv tycker jag om F Secures PSB lösning trots en del brister i software updater men den fungerar ändå väldigt väl för systemadministratörer. Kom ihåg att sätta upp larm på virusangrepp!

Fil och katalogrättigheter på servern

3. Se till att gå igenom alla katalog och filrättigheter ordentligt och vilka användare och grupper som har tillgång till vad. Tänk på att se till att användare , både interna och externa , endast ska kunna se det som de uttryckligen ska ha tillång till. Inget annat.
Ett exempel är t.ex. att begränsa åtkomst till diskar och dölja diskar på Terminal Server (kolla t.ex. TS Hide Drives). Att sätta upp rättigheter på fil och katalognivå är oerhört kraftfullt sätt att begränsa tillgången till data. Testa innan du tillåter användare att nå servern. Det är alltid svårare att och jobbigare att fixa till saker i eftehand när servern är i drift.
Tänk även på att inte tillåta programexekvering från “fel”  ställen t.ex %APPDATA% , %TEMP% o.s.v

Best practices, manualer .. var inte lat ..

4. Se till att följa “best practices” för alla applikationer och tjänster du sätter upp. Googla. Snacka med folk.

Ingen manual är komplett och programvarutillverkare tänker inte alltid på kringliggande saker som kan påverka säkerhet och kompabilitet. När du instalerat ett program, klicka runt i menyerna och se vad du kan göra (vilka kataloger kan du “browsa till”vid “öppna” , “spara” i o.s.v. ) . Testa både som administratör och en vanlig användare. Vilka rättigheter behövs och vilka kan “tajtas åt” ?

Slå på loggning på servern

5. Se till att ha loggning påslaget där det går. Många program och funktioner har inte det påslaget som standard men du kan inte felsöka det du inte ser och att försöka hitat ett intrång eller annat fel i efterhand kan vara hopplöst om inte omöjligt.

Övervakning och drift av servern

6. Se till att ha en väl fungerande övervakning och inventering på hela ditt nät. Själv är jag en förespråkare för Spiceworks som är gratis som man kan göra väldigt mycket med.
Om din server har olika typer av övervakningsagenter (ofta över SNMP)  som kommer från tillverkaren (vilket de flesta har) se till att installera dem.

De ger dig information om hur hårdvaran mår och larmar om olika typer av incidentter. Se till att också sätta upp larm från dem via mail till en funktionsbaserad maillåda dvs inte till en person. Se också till att ha en plan för incidenthantering på plats och utpekade ansvariga för olika typer av fel / incidenter.

Group policies och standardisering

7. Group policies dvs grupp principer. Oerhört kraftfullt verktyg om du sätter dig in i det.  Kommer att underlätta administration, säkerhetshantering och användarhantering väldigt mycket.

SSL och Internet

8. Om servern är nåbar från Internet (fast även gärna om den bara finns internt) , se till att ha giltiga SSL certifkat för alla tjänster som det ska kommuniceras med. Det är inte så dyrt man kan tro (nuförtiden finns även gratis SSL via Letsencrypt, även om det är lite komplicerat få det att fungera ) och det kommer underlätta också att få en del funktioner att fungera smärtfritt. Tänk dock på att bara installera ett SSL certifikat inte räcker, du måste också slå av en del svaga krypton o.s.v.

9.  Se över vilka HTTP headers du använder och säkra upp även dem med t.ex Strict Transport Security,  X-Content-Type-Options, X-Frame-Options, X-Xss-Protection, X-Permitted-Cross-Domain-Policies.

Slå av onödiga funktioner och tjänster , även i en testmiljö

10. Stoppa tjänster, funktioner och nätverksprotokoll som inte används. Minimiera attackytan för hackers, både interna och externa, men spara även prestanda i serven. Du slipper också onödigt tjattrig nätverkstrafik på nätet . Samma princip gäller för skrivare och arbetsstattioner.

Lösenordshantering och policies

11 Tvinga komplexa lösenord för alla användare. För lite tips om hur man kan komma ihåg dem har jag skrivit det här inlägget tidigare

Ett av de vanligaste sätten för hackers att ta sig in i system beror just på svaga lösenord som enkelt går att gissa sig till. Byt namn på administratören då kontot inte går att låsa i Windows. Här är det också viktigt att ha et fungerande intrångsskydd mot lösenordsattacker med Syspeace.

12. Använd en bra namnstandard för inloggningar. Använd inte bara t.ex. förnamnn@ertföretag.se eller något annat som är för uppenbart och enkelt. Ju svårare det är för en hacker att gissa sig till ett användarnamn desto fler försök kommer behövas för att ta sig in i systemet. Det finns olika typer av skydd för att hantera ordboksattacker / lösenordsattacker / bruteforce  o.s.v

Serverns backuper

13. Backuper, backuper och BACKUPER! Se till att ha fungerande backuper och rutiner för dem. Testa dem regelbundet , minst en gång om året. Att återläsa enskilda filer ur en backup är inte en återstartstest! Se även till att ha flera generationer av backuper och en IT policy som styr detta.

Att bara ha en eller två generationer att kunna falla tillbaka på vid ett haveri kan vara katastrof t.ex. om backupen av någion anledning är korrupt och inte går att använda eller om ni blivit hackade och ni måste få tillbaka systemet till ett tillfälle ni vet med säkerhet är OK dvs innan intrånget skedde.

Se till att ha MINST en fungerande generation av backuperna någon annastans än i samma lokaler där servern är utifall det brinner eller blir inbrott.
Att ha disksystem som RAID och andra failolver-lösningar kommer aldrig att ersätta backuper. Det finns även många olika typer av online backup lösningar och det handlar mer om pris och funktionalitet.

All hårdvara kan falera, både fysiskt och logiskt som t.ex korrupta filsystem.
Ett tips här är också att slå på regelbundna VSS snapshots på alla diskar .

Enkelt, stabilt och billigt sätt att ha flera generationer av data att tillgå men det är INTE en ersättning för backuper!

Scanna din server efter sårbarheter!

14. Scanna din server med olika verktyg efter sårbarheter och tips för att öka säkerheten.

Här några bra länkar jag själv använder ofta

https://www.gravityscan.com      – Scannar sårbarheter, felaktiga länkar och headers osv  Främst för WordPress och Joomla osv

https://www.ssllabs.com/ssltest/   – Kontrollera att du slagit av svaga krypton och använder ditt SSL certifikat korrekt 

https://tools.pingdom.com/ –  Hastighet på hemsidan med mera, bra tips om laddningshastigheter och vad som tynger ner osv

http://www.kitterman.com/spf/validate.html   – Kontrollera att du satt upp ditt SPF record korrekt

https://mxtoolbox.com/diagnostic.aspx  – Diverse tester av mailservrar som Open Relay o.s.v. 

https://www.microsoft.com/en-us/download/details.aspx?id=7558    – Microsoft Baseline Security Analyzer

Testa ladda ner KALI Linux och testkör de olika verktygen från den.

Brandväggar och kommunikationer

15. Tänk igenom hur serven kommunicerar med omvärlden vad gäller brandväggar och routing i nätet. Ha även den lokala brandväggen påslagen i Windows, trots att den står bakom en extern brandvägg.

Brute force prevention . Skydd mot ordboksattacker, lösenordsattacker på Windows Server

16. Automatisk intrångshantering med t.ex Syspeace. I Windows går det INTE att automatiskt hantera lösenordsattacker på ett vettigt sätt. De inbyggda mekanismerna kan t.o.m. göra mer skada än nytta. Att installera ett system som Syspeace löser mycket av problematiken direkt och är oerhört enkelt att installera och konfigurera. Det finns flera liknande produkter dock som t.ex Cyberarms. Ur ett administrativt perspektiv så saknar tyvärr Cyberarms en del viktig funktionalitet som t.ex information om varifrån (land, DNS namn osv) attacken kom.

17. Det här hör på sätt och vis ihop med punkt 13 om backuper men se till att ha en vettig återstartsplan om något händer.

WordPress på IIS Server

18. Den här hör såklart ihop med om servern är nåbar från Internet lite längre upp och det är ett helt jätteområde i sig men några grundläggande tips är att se till att alltid uppdatera själva WordPress, alla plugins och teman, din PHP  och att installera plugins som t.ex. Wordfence . Även olika typer av cachning och URL rewrite kommer bhöva installeras och sättas upp.

 

Kontakta mig för möte, frågor eller konsulthjälp kring de här frågorna ? 

 

Pågående massiv #bruteforce attack mot primärt Windows server system från #USA

JufCorp AB hjälper företag och föreningar med frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace

Pågående massiv #bruteforce attack mot primärt Windows server system från #USA

 

Som kuriosa tänkte jag nämna en massiv s.k. Brute Force attack / Dictionary attack (på svenska kallad ordboksattack) som pågår just nu med ursprung i USA och som verkar rikta in sig mot asvenska servrar (ett flertal av mina kunder har drabbats).
Den är inte att blanda ihop med den massiva #WannaCrypt attacken som handlar ransomvirus utan är en helt annan typ av attack där inkräktaren försöker att gissa sig till användarnamn och lösenord eller bara att överbelasta servrarna med felaktiga inloggningsförsök.

En gemensam nämnare i just den här attacken är att de använder sig av inloggningsdomänen som inloggningsnamn.
Nedan är en lista på “dagens skörd” av blockerade IP adresser som intrångsskydden blockerat på en enda servrar mellan midnatt och 13:30 hittills idag .

För att se om ni är drabbade, kontrollera Windows Security log.

Om ni är drabbade är ni naturligtvis välkomna att kontakta mig här för hjälp med att hantera attacken eller för att skydda er mot kommande attacker

IP address Times Host name and country
——————– —– ——————————-
5.102.141.94 2 rev-94.141.102.5.tribion.com; Netherlands (NL)
5.103.29.79 2 static-5-103-29-79.fibianet.dk; Denmark (DK)
5.144.158.193 2 ; United Kingdom (GB)
8.3.64.82 2 mail.sharpcnc.com; United States (US)
8.23.71.66 2 BJP2U36T-PC; United States (US)
8.27.164.197 2 ip-8-27-164-197.trucom.com; United States (US)
12.163.187.130 2 ; United States (US)
12.177.217.60 2 ; United States (US)
12.219.206.146 2 ; United States (US)
12.250.27.210 2 ; United States (US)
13.65.24.104 2 ; United States (US)
13.67.181.161 2 ; United States (US)
13.68.88.62 2 ; United States (US)
13.68.92.114 2 ; United States (US)
18.159.7.137 2 koch-six-forty-eight.mit.edu; United States (US)
23.25.213.172 2 23-25-213-172-static.hfc.comcastbusiness.net; United States (US)
23.227.200.187 2 ; United States (US)
24.13.84.17 2 c-24-13-84-17.hsd1.il.comcast.net; United States (US)
24.45.36.135 2 ool-182d2487.dyn.optonline.net; United States (US)
24.47.123.214 2 ool-182f7bd6.dyn.optonline.net; United States (US)
24.136.114.234 2 rrcs-24-136-114-234.nyc.biz.rr.com; United States (US)
24.172.55.54 2 fbiconstruction.com; United States (US)
24.204.55.66 2 mail.jtparkerclaims.com; United States (US)
24.248.203.94 2 wsip-24-248-203-94.ks.ks.cox.net; United States (US)
24.248.223.50 2 wsip-24-248-223-50.ks.ks.cox.net; United States (US)
27.74.243.108 2 tsgw.rcasp.se; Vietnam (VN)
34.192.198.19 2 ec2-34-192-198-19.compute-1.amazonaws.com; United States (US)
37.252.129.11 2 ; Switzerland (CH)
40.71.27.108 2 ; United States (US)
40.76.37.25 2 ; United States (US)
40.86.191.167 2 ; United States (US)
40.135.9.233 2 h233.9.135.40.static.ip.windstream.net; United States (US)
45.17.245.230 2 45-17-245-230.lightspeed.hstntx.sbcglobal.net; United States (US)
45.20.208.49 2 45-20-208-49.lightspeed.rlghnc.sbcglobal.net; United States (US)
45.32.160.56 2 45.32.160.56.vultr.com; United States (US)
45.40.139.116 2 ip-45-40-139-116.ip.secureserver.net; United States (US)
45.63.4.229 2 45.63.4.229.vultr.com; United States (US)
46.231.187.166 2 ; United Kingdom (GB)
47.21.46.106 2 ool-2f152e6a.static.optonline.net; United States (US)
47.23.136.187 2 ool-2f1788bb.static.optonline.net; United States (US)
47.146.183.166 2 ; United States (US)
47.180.64.184 2 static-47-180-64-184.lsan.ca.frontiernet.net; United States (US)
50.47.72.226 2 50-47-72-226.evrt.wa.frontiernet.net; United States (US)
50.73.101.155 2 50-73-101-155-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.16.81 2 50-76-16-81-static.hfc.comcastbusiness.net; United States (US)
50.76.63.221 2 50-76-63-221-ip-static.hfc.comcastbusiness.net; United States (US)
50.76.167.3 2 50-76-167-3-static.hfc.comcastbusiness.net; United States (US)
50.76.202.210 2 50-76-202-210-static.hfc.comcastbusiness.net; United States (US)
50.77.83.137 2 50-77-83-137-static.hfc.comcastbusiness.net; United States (US)
50.77.201.132 2 50-77-201-132-static.hfc.comcastbusiness.net; United States (US)
50.79.7.213 2 50-79-7-213-static.hfc.comcastbusiness.net; United States (US)
50.79.105.34 2 50-79-105-34-static.hfc.comcastbusiness.net; United States (US)
50.192.13.145 2 50-192-13-145-static.hfc.comcastbusiness.net; United States (US)
50.192.141.193 2 50-192-141-193-static.hfc.comcastbusiness.net; United States (US)
50.196.247.193 2 50-196-247-193-static.hfc.comcastbusiness.net; United States (US)
50.197.82.185 2 50-197-82-185-static.hfc.comcastbusiness.net; United States (US)
50.198.160.161 2 50-198-160-161-static.hfc.comcastbusiness.net; United States (US)
50.199.237.34 2 50-199-237-34-static.hfc.comcastbusiness.net; United States (US)
50.203.190.178 2 mail.intermediagroup.org; United States (US)
50.205.10.174 2 50-205-10-174-static.hfc.comcastbusiness.net; United States (US)
50.205.117.51 2 50-205-117-51-static.hfc.comcastbusiness.net; United States (US)
50.233.197.222 2 50-233-197-222-static.hfc.comcastbusiness.net; United States (US)
50.240.252.205 2 50-240-252-205-static.hfc.comcastbusiness.net; United States (US)
50.241.38.49 2 50-241-38-49-static.hfc.comcastbusiness.net; United States (US)
50.243.129.194 2 50-243-129-194-static.hfc.comcastbusiness.net; United States (US)
50.248.123.221 2 50-248-123-221-static.hfc.comcastbusiness.net; United States (US)
50.254.34.165 2 50-254-34-165-static.hfc.comcastbusiness.net; United States (US)
50.254.133.245 2 50-254-133-245-static.hfc.comcastbusiness.net; United States (US)
52.5.139.105 2 ec2-52-5-139-105.compute-1.amazonaws.com; United States (US)
52.6.224.229 2 ec2-52-6-224-229.compute-1.amazonaws.com; United States (US)
52.23.118.225 2 ec2-52-23-118-225.compute-1.amazonaws.com; United States (US)
52.26.151.34 2 ec2-52-26-151-34.us-west-2.compute.amazonaws.com; United States (US)
52.39.168.186 2 ec2-52-39-168-186.us-west-2.compute.amazonaws.com; United States (US)
52.70.19.127 2 ec2-52-70-19-127.compute-1.amazonaws.com; United States (US)
52.73.103.93 2 ec2-52-73-103-93.compute-1.amazonaws.com; United States (US)
52.89.217.62 2 ec2-52-89-217-62.us-west-2.compute.amazonaws.com; United States (US)
52.168.20.3 2 RACESA; United States (US)
52.168.86.1 2 RACESA; United States (US)
52.170.39.1 2 ; United States (US)
52.173.17.163 2 ; United States (US)
52.200.66.163 2 ec2-52-200-66-163.compute-1.amazonaws.com; United States (US)
54.83.47.75 2 ec2-54-83-47-75.compute-1.amazonaws.com; United States (US)
54.86.14.226 2 ec2-54-86-14-226.compute-1.amazonaws.com; United States (US)
54.149.137.41 2 ec2-54-149-137-41.us-west-2.compute.amazonaws.com; United States (US)
54.157.197.20 2 ec2-54-157-197-20.compute-1.amazonaws.com; United States (US)
54.173.247.253 2 ec2-54-173-247-253.compute-1.amazonaws.com; United States (US)
54.243.64.201 2 ec2-54-243-64-201.compute-1.amazonaws.com; United States (US)
64.19.195.138 2 64-19-195-138.c7dc.com; United States (US)
64.40.136.36 2 ; United States (US)
64.60.63.18 2 64-60-63-18.static-ip.telepacific.net; United States (US)
64.61.65.67 2 static-64-61-65-67.isp.broadviewnet.net; United States (US)
64.135.85.4 2 mail.mmpusa.com; United States (US)
64.203.121.118 2 static-64-203-121-118.static; United States (US)
65.25.200.33 2 cpe-65-25-200-33.new.res.rr.com; United States (US)
65.26.224.113 2 cpe-65-26-224-113.wi.res.rr.com; United States (US)
65.35.122.111 2 65-35-122-111.res.bhn.net; United States (US)
65.51.130.102 2 41338266.cst.lightpath.net; United States (US)
65.184.92.138 2 cpe-65-184-92-138.sc.res.rr.com; United States (US)
66.103.3.246 2 ; United States (US)
66.161.214.122 2 cvg-partners.static.fuse.net; United States (US)
66.172.199.188 2 static.longlines.com; United States (US)
66.194.51.146 2 66-194-51-146.static.twtelecom.net; United States (US)
66.199.16.130 2 asg.sbc.net; United States (US)
66.207.228.204 2 vancestmed1.intrstar.net; United States (US)
67.52.39.30 2 rrcs-67-52-39-30.west.biz.rr.com; United States (US)
67.135.195.250 2 67-135-195-250.dia.static.qwest.net; United States (US)
67.136.185.218 2 ; United States (US)
67.177.69.207 2 c-67-177-69-207.hsd1.al.comcast.net; United States (US)
67.182.27.250 2 c-67-182-27-250.hsd1.ca.comcast.net; United States (US)
67.199.46.32 2 ; United States (US)
67.210.56.23 2 ; United States (US)
68.10.137.200 2 ip68-10-137-200.hr.hr.cox.net; United States (US)
68.34.50.181 2 c-68-34-50-181.hsd1.mi.comcast.net; United States (US)
68.129.33.18 2 static-68-129-33-18.nycmny.fios.verizon.net; United States (US)
68.198.150.65 2 ool-44c69641.dyn.optonline.net; United States (US)
69.19.187.134 2 69-19-187-134.static-ip.telepacific.net; United States (US)
69.77.156.178 2 69-77-156-178.static.skybest.com; United States (US)
69.87.217.243 2 CLOUD-89T44LGN2; United States (US)
69.125.1.18 2 ool-457d0112.dyn.optonline.net; United States (US)
69.160.54.11 2 WEB2012; United States (US)
69.174.171.150 2 c185915-v3292-01-static.csvlinaa.metronetinc.net; United States (US)
69.193.209.138 2 rrcs-69-193-209-138.nyc.biz.rr.com; United States (US)
70.60.5.210 2 rrcs-70-60-5-210.central.biz.rr.com; United States (US)
70.89.79.211 2 70-89-79-211-georgia.hfc.comcastbusiness.net; United States (US)
70.90.200.250 2 70-90-200-250-albuquerque.hfc.comcastbusiness.net; United States (US)
70.90.212.126 2 70-90-212-126-saltlake.hfc.comcastbusiness.net; United States (US)
70.169.140.124 2 wsip-70-169-140-124.hr.hr.cox.net; United States (US)
70.171.217.25 2 ip70-171-217-25.tc.ph.cox.net; United States (US)
70.182.31.80 2 wsip-70-182-31-80.fv.ks.cox.net; United States (US)
70.182.247.14 2 wsip-70-182-247-14.ks.ks.cox.net; United States (US)
71.43.115.10 2 rrcs-71-43-115-10.se.biz.rr.com; United States (US)
71.95.178.34 2 71-95-178-34.static.mtpk.ca.charter.com; United States (US)
71.125.51.247 2 pool-71-125-51-247.nycmny.fios.verizon.net; United States (US)
71.126.153.21 2 static-71-126-153-21.washdc.fios.verizon.net; United States (US)
71.174.248.106 2 static-71-174-248-106.bstnma.fios.verizon.net; United States (US)
71.186.195.114 2 static-71-186-195-114.bflony.fios.verizon.net; United States (US)
71.189.243.4 2 static-71-189-243-4.lsanca.fios.frontiernet.net; United States (US)
71.191.80.42 2 static-71-191-80-42.washdc.fios.verizon.net; United States (US)
71.207.69.236 2 c-71-207-69-236.hsd1.pa.comcast.net; United States (US)
71.224.178.158 2 c-71-224-178-158.hsd1.pa.comcast.net; United States (US)
72.16.147.58 2 72-16-147-58.customerip.birch.net; United States (US)
72.38.44.180 2 d72-38-44-180.commercial1.cgocable.net; Canada (CA)
72.82.230.95 2 static-72-82-230-95.cmdnnj.fios.verizon.net; United States (US)
72.167.43.200 2 ip-72-167-43-200.ip.secureserver.net; United States (US)
72.174.248.122 2 host-72-174-248-122.static.bresnan.net; United States (US)
72.204.63.192 2 ip72-204-63-192.fv.ks.cox.net; United States (US)
72.215.140.252 2 wsip-72-215-140-252.pn.at.cox.net; United States (US)
72.215.215.20 2 wsip-72-215-215-20.no.no.cox.net; United States (US)
72.227.80.102 2 cpe-72-227-80-102.maine.res.rr.com; United States (US)
72.253.213.131 2 ; United States (US)
73.69.143.242 2 c-73-69-143-242.hsd1.ma.comcast.net; United States (US)
73.71.29.17 2 c-73-71-29-17.hsd1.ca.comcast.net; United States (US)
73.142.239.31 2 c-73-142-239-31.hsd1.ct.comcast.net; United States (US)
73.146.72.35 2 c-73-146-72-35.hsd1.in.comcast.net; United States (US)
73.189.105.76 2 c-73-189-105-76.hsd1.ca.comcast.net; United States (US)
73.208.34.64 2 c-73-208-34-64.hsd1.in.comcast.net; United States (US)
74.92.21.17 2 74-92-21-17-newengland.hfc.comcastbusiness.net; United States (US)
74.93.101.9 2 remote.youthfulinnovations.com; United States (US)
74.116.23.151 2 smoke2.bgglobal.net; United States (US)
74.118.182.77 2 res.anniversaryinn.com; United States (US)
74.143.195.146 2 rrcs-74-143-195-146.central.biz.rr.com; United States (US)
75.146.75.109 2 75-146-75-109-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.146.145.189 2 75-146-145-189-stlouispark.mn.minn.hfc.comcastbusiness.net; United States (US)
75.147.156.185 2 75-147-156-185-naples.hfc.comcastbusiness.net; United States (US)
75.149.28.17 2 75-149-28-17-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.30.201 2 75-149-30-201-pennsylvania.hfc.comcastbusiness.net; United States (US)
75.149.129.98 2 75-149-129-98-connecticut.hfc.comcastbusiness.net; United States (US)
75.150.153.121 2 75-150-153-121-philadelphia.hfc.comcastbusiness.net; United States (US)
75.151.22.138 2 75-151-22-138-michigan.hfc.comcastbusiness.net; United States (US)
81.149.32.248 2 host81-149-32-248.in-addr.btopenworld.com; United Kingdom (GB)
81.149.160.149 2 host81-149-160-149.in-addr.btopenworld.com; United Kingdom (GB)
81.184.4.81 2 81.184.4.81.static.user.ono.com; Spain (ES)
82.70.235.49 2 mail.o-mills.co.uk; United Kingdom (GB)
82.152.42.172 2 ; United Kingdom (GB)
82.163.78.211 2 deals0.outdoor-survival-deals.com; United Kingdom (GB)
84.253.23.243 2 243.23.253.84.static.wline.lns.sme.cust.swisscom.ch; Switzerland (CH)
89.107.57.168 2 CLOUD-CBNJJIKJU; United Kingdom (GB)
93.174.93.162 2 no-reverse-dns-configured.com; Seychelles (SC)
94.173.101.19 2 fpc88091-dund16-2-0-cust18.16-4.static.cable.virginm.net; United Kingdom (GB)
95.143.66.10 2 cpe-et001551.cust.jaguar-network.net; France (FR)
96.2.4.59 2 96-2-4-59-dynamic.midco.net; United States (US)
96.48.86.169 2 s0106002719d04b85.vf.shawcable.net; Canada (CA)
96.56.31.221 2 ool-60381fdd.static.optonline.net; United States (US)
96.56.105.10 2 ool-6038690a.static.optonline.net; United States (US)
96.80.174.85 2 96-80-174-85-static.hfc.comcastbusiness.net; United States (US)
96.80.253.177 2 96-80-253-177-static.hfc.comcastbusiness.net; United States (US)
96.83.33.185 2 96-83-33-185-static.hfc.comcastbusiness.net; United States (US)
96.83.155.97 2 96-83-155-97-static.hfc.comcastbusiness.net; United States (US)
96.85.147.121 2 96-85-147-121-static.hfc.comcastbusiness.net; United States (US)
96.86.193.203 2 96-86-193-203-static.hfc.comcastbusiness.net; United States (US)
96.87.90.37 2 96-87-90-37-static.hfc.comcastbusiness.net; United States (US)
96.89.250.225 2 96-89-250-225-static.hfc.comcastbusiness.net; United States (US)
96.91.83.141 2 96-91-83-141-static.hfc.comcastbusiness.net; United States (US)
96.91.100.241 2 mail.holidayorg.com; United States (US)
96.91.120.121 2 96-91-120-121-static.hfc.comcastbusiness.net; United States (US)
96.93.179.141 2 96-93-179-141-static.hfc.comcastbusiness.net; United States (US)
96.95.3.53 2 96-95-3-53-static.hfc.comcastbusiness.net; United States (US)
96.248.216.162 2 static-96-248-216-162.nrflva.fios.verizon.net; United States (US)
96.250.18.213 2 pool-96-250-18-213.nycmny.fios.verizon.net; United States (US)
96.254.199.133 2 static-96-254-199-133.tampfl.fios.frontiernet.net; United States (US)
97.64.238.118 2 97-64-238-118.client.mchsi.com; United States (US)
97.74.229.216 2 ip-97-74-229-216.ip.secureserver.net; United States (US)
98.209.200.34 2 c-98-209-200-34.hsd1.mi.comcast.net; United States (US)
100.8.29.162 2 static-100-8-29-162.nwrknj.fios.verizon.net; United States (US)
100.12.162.203 2 mail.comjem.com; United States (US)
104.187.243.229 2 104-187-243-229.lightspeed.lnngmi.sbcglobal.net; United States (US)
104.207.135.1 2 104.207.135.1.vultr.com; United States (US)
107.180.77.25 2 ip-107-180-77-25.ip.secureserver.net; United States (US)
108.20.79.148 2 pool-108-20-79-148.bstnma.fios.verizon.net; United States (US)
108.39.247.102 2 pool-108-39-247-102.pitbpa.fios.verizon.net; United States (US)
108.53.118.53 2 pool-108-53-118-53.nwrknj.fios.verizon.net; United States (US)
108.58.195.45 2 ool-6c3ac32d.static.optonline.net; United States (US)
108.60.201.195 2 ; United States (US)
108.61.251.119 2 108.61.251.119.vultr.com; Australia (AU)
108.207.58.163 2 108-207-58-163.lightspeed.lnngmi.sbcglobal.net; United States (US)
109.169.19.116 2 ; United Kingdom (GB)
122.226.196.254 2 ; China (CN)
128.59.46.66 2 dyn-128-59-46-66.dyn.columbia.edu; United States (US)
131.156.136.114 2 ; United States (US)
132.160.48.210 2 ; United States (US)
144.202.132.50 2 144-202-132-50.baltimoretechnologypark.com; United States (US)
146.255.7.75 2 ; United Kingdom (GB)
148.74.244.26 2 ool-944af41a.dyn.optonline.net; United States (US)
162.17.170.225 2 mail.architecturalsheetmetal.com; United States (US)
162.230.118.128 2 162-230-118-128.lightspeed.sntcca.sbcglobal.net; United States (US)
162.231.82.33 2 adsl-162-231-82-33.lightspeed.irvnca.sbcglobal.net; United States (US)
162.246.155.16 2 ; United States (US)
166.62.43.55 2 ip-166-62-43-55.ip.secureserver.net; United States (US)
172.87.144.170 2 rrcs-172-87-144-170.sw.biz.rr.com; United States (US)
172.95.25.4 2 ; United States (US)
173.8.227.70 2 173-8-227-70-denver.hfc.comcastbusiness.net; United States (US)
173.10.137.213 2 173-10-137-213-busname-washingtondc.hfc.comcastbusiness.net; United States (US)
173.12.152.209 2 mail.bfbarchitects.com; United States (US)
173.13.72.50 2 outbound.oceanedge.com; United States (US)
173.14.78.21 2 173-14-78-21-sacramento.hfc.comcastbusiness.net; United States (US)
173.14.220.253 2 173-14-220-253-atlanta.hfc.comcastbusiness.net; United States (US)
173.26.48.212 2 173-26-48-212.client.mchsi.com; United States (US)
173.48.246.52 2 pool-173-48-246-52.bstnma.fios.verizon.net; United States (US)
173.160.91.10 2 173-160-91-10-atlanta.hfc.comcastbusiness.net; United States (US)
173.161.162.68 2 173-161-162-68-philadelphia.hfc.comcastbusiness.net; United States (US)
173.161.224.209 2 173-161-224-209-philadelphia.hfc.comcastbusiness.net; United States (US)
173.193.164.178 2 b2.a4.c1ad.ip4.static.sl-reverse.com; United States (US)
173.197.34.18 2 rrcs-173-197-34-18.west.biz.rr.com; United States (US)
173.220.18.197 2 ool-addc12c5.static.optonline.net; United States (US)
184.16.110.66 2 ; United States (US)
184.176.201.40 2 aexec.com; United States (US)
184.183.152.219 2 wsip-184-183-152-219.ph.ph.cox.net; United States (US)
185.52.248.40 2 ; Germany (DE)
185.129.148.169 2 ; Latvia (LV)
192.198.250.202 2 rrcs-192-198-250-202.sw.biz.rr.com; United States (US)
199.96.115.98 2 ; United States (US)
204.193.139.81 2 ; United States (US)
206.145.187.193 2 morriselectronics.net; United States (US)
208.38.233.43 2 c187290-03-v3409-static.nmchinaa.metronetinc.net; United States (US)
208.75.244.130 2 mail.aisin-electronics.com; United States (US)
208.105.170.100 2 rrcs-208-105-170-100.nys.biz.rr.com; United States (US)
208.180.181.72 2 208-180-181-72.mdlncmtk01.com.sta.suddenlink.net; United States (US)
209.240.184.73 2 OGKCPIPE.nwol.net; United States (US)
213.109.80.18 2 s-213-109-80-18.under.net.ua; Ukraine (UA)
216.81.103.42 2 ; United States (US)
216.170.126.36 2 ; United States (US)
216.176.177.92 2 ; United States (US)

A new brute force protection platform – Are you up for it ?

brute force protection
I firmly believe there’s a need for good brute force protection products. The ones currently available simply aren’t good enough for larger corporate needs or Cloud Service Providers really or they’re too expensive and complicated to use..

Some possible improvements are already out there for some of them such as Cyberarms going Open Source. At the time I helped start up Syspeace, I would say that Cyberarms was the main competitor and I was really surprised and sad they eventually decided to end their business.

With that said, there’s a good foundation using their code and improving it and modernizing it because there’s a lot of critical things missing in there in order to actually be useful for enterprises the way I see it. Actually, quite a few and there needs to be new functionality in there too. Not really disclosing my thoughts here about it though.

The ways to go about this, the way I see anyway, is to …

Open Source and brute force prevention

… sit down and have a close look at for instance the Cyberarms code and help out as an Open Source developer and try to get a product that’s free and beneficial for everyone.
The downside to that is, as with most Open Source, that if you’re a system administrator and something doesn’t work, you might want to have access to an actual support, helpdesk and getting help in troubleshooting. You also may want to be assured that development will continue.
You simply don’t have the time to search forums or read through the code to try and figure out what’s wrong or how to improve it and often enough, system administrators aren’t developers. I know I’m not very good at writing code myself anyway.

There’s also the risk of people coding losing the interest of an Open Source project, since they don’t make any money out of it and eventually start feeling they’re just wasting free time, resulting in that the product will eventually just die or stay stagnant and eventually become obsolete.

Creating a new brute force protection platform as a business idea

The second path would be to start up a new project with developers, marketing people and investors to actually build a product that is useful for enterprises and cloud providers and so on. Such a product needs to have quite a lot of functionality added compared to the ones that are already out there but with the right people and effort, it can be done. I’m absolutely sure of it.
These new ideas and functionalities are probably best provided by people who actually deal with these questions on a day to day basis i.e System Administrators, Server Managers and so on…

As you may or may not know I was previously deeply involved in the creation and startup of Syspeace.
I had the original idea for a brute force protection software and was a part of most aspects it but unfortunately we just couldn’t agree on what was reasonable on the business side of it once our initial agreement ended so I decided to go with the “live and let die” policy.
It basically just took too much energy from me to haggle and not getting anywhere really and frankly, the project had become stagnant the way I saw it so consider this plan B.

The future then? Can it be made viable as a business idea?

Basically what I’m driving at is this, are there the right people out there? Anyone up for starting up a new project and try to create an even better brute force protection and security platform with me?
I have already had a few feelers with other companies and there is an interest to be part of such a project. The best scenario would probably be to get in touch with a development company that already has developers and want to broaden their portfolio with a security product but on the other hand, it can be a very small staff of people doing it too.

I’m not opposed to investing myself also and since I know the finances behind such a product and what it can generate I have a reason to believe in it, both technically and businesswise.
Remember, the market is worldwide. It’s not geographically confined and that’s why I’m actually writing this in English, although for me personally, the startup of such a project would be easier if it were in Sweden. I’m. just thinking practically.

I’ve already done it once and I believe it can be done again but even better. I’ve already seen the mistakes so to speak.
Of course, there are other ways too, such as Crowdfunding and FundedByMe and all that but I firmly believe not only do you have to have the finances settled but also be sure to have the right people involved, willing to invest their time and focus.

At the moment it’s just a thought from my side and nothing has really taken any shape (apart from registering a domain for it really) but I would hate to throw away all the ideas, knowledge and experience I have around such a project. I think I have a pretty good inkling of budgets, the business side and of course the technical aspects and functionality of what such a product should be.

So, if you’re up for it, just contact me or give me call and say hi and we’ll take it from there?

I think the time would be more or less now because I’m certain there’s stuff going on in other places too so in order to get a product up and running and get market shares, this would be the time to do it.

Ditt namn (obligatorisk)

Företag

Din epost (obligatorisk)

Telefon

Ämne (obligatorisk)

Ditt meddelande (obligatorisk)

När och hur vill ni bli kontaktade?
TelefonE PostPersonligt möteFörmiddagEftermiddagKväll

Vad gäller saken ? Välj en eller flera områden om du vill

Från när behöver ni hjälp ?

Skriv in nedanstående text för verifiering (obligatorisk)

captcha

 

Mitigation strategies for securing server environments

This is a good start for mitigation planning for various attack scenarios.

I did not compile this list myself and the original can be found here . I might add a few thing in here but is very good strat indeed. Well done
https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Den här listan är en väldigt bra början för att planera och förhindra olika typer av attacker och hantera säkerhetsaspekter från olika synvinklar.

För hjälp med frågor som dessa, kontakta mig gärna här

 

backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace mitigation strategies

MITIGATION STRATEGIES

Mitigation strategies summary

Relative security effectiveness rating Mitigation strategy Potential user resistance Upfront cost (staff, equipment, technical complexity) Ongoing maintenance cost (mainly staff)
Mitigation strategies to prevent malware delivery and execution
Essential Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Medium High Medium
Essential Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Low High High
Essential Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Medium Medium Medium
Essential User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Medium Medium Medium
Excellent Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. Low High Medium
Excellent Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. Medium Medium Medium
Excellent Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. Medium Medium Medium
Excellent Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections. Medium Medium Low
Excellent Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Low Low Low
Very good Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high-availability) data. Low Medium Medium
Very good Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD. Medium Medium Low
Very good Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Very good Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices. High High Medium
Very good Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. Low Low Low
Good User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. Medium High Medium
Limited Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Limited TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. Low Low Low
Mitigation strategies to limit the extent of cyber security incidents
Essential Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Medium High Medium
Essential Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Low Medium Medium
Essential Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository. Medium High Medium
Excellent Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. Low Medium Low
Excellent Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties. Low High Medium
Excellent Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases. Medium Medium Low
Very good Non-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files. Medium Medium Medium
Very good Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic. Low Medium Medium
Very good Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. Medium Medium Medium
Very good Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. Medium Medium Medium
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity. Low Very
high
Very
high
Very good Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence. Low Medium Medium
Very good Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option. Low Medium Medium
Very good Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. Low Very
high
Very
high
Limited Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. Low High Medium
Limited Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. Low High Medium
Mitigation strategies to recover data and system availability
Essential Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Low High High
Very good Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. Low High Medium
Very good System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. Low High Medium
Mitigation strategy specific to preventing malicious insiders
Very good Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. High High High

 

 

For questions or help within these areas, please feel free to contact me here

Securing Windows Server with a baseline security

JufCorp AB hjälper företag och föreningar med frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace

Securing Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security.  That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

 

Securing Windows Server with an acceptable baseline security

  • 1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.
  • 2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for Servers and Workstations for lots of reasons. It’s not just a pretty logo. If you need licenses or assistance, please feel free to contact me here
  • 3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.
  • 4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.
  • 5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.
  • 7. Have a good monitoring and inventory system in place such as the free SpiceWorks and I also recently discovered Sitemonitoring at Sourceforge that I liked. Unfortunately Sitemonitoring only works for HTTP responses , I’d love to also have it work for pure port monitoring.
  • 8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared incas of hardware failures. If possible, also have spare parts readu for the common failures such as hard drives and PSu (Power Supply Units)
  • 9. Use Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.
  • 10. If your server is reachable from the Internet, use valid SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able.
    Yes, think Mr. Snowden.Think NSA. There’s a few more things to consider when installing SSL on servers such as disabling weak cryptos and testing you´v done so correctly. I like using SSL Labs free test.
  • 11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.
  • 12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
    If people are having trouble remembering passwords the have all over the world, maybe you could have them read this blog post I wrote about rememebering complex passwords
    and on the topic of online passwords and identities, they migh also want to read this post about protecting your online identity  also.
  • 13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post (still on the Syspeace Blog site though )  on why
  • 14. Backups! Backups! and again. BACKUPS!!
    Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
    You can also use the built in Windows Server backup for DR as described here
  • 15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why . I you don’t have the time to read the article then simply download the free Syspeace trial or contact me for licenses and consulting regarding Brute force prevention

If you’re up for it, I’ve written a few other related posts here:

Securing your datacenter part 1 – Physical aspects
and
Securing your datacenter part II – Networking

There’s also a third one but to be honest , I can’t remember where I published it. This is one of the reasons I’m moving basically everyting I’ve written to my own website instead . Easier to maintain .
Keep it simple and easy is alway a good approach. 🙂

By Juha Jurvanen @ JufCorp

#cybersecurity How to block a brute force attacks against Windows Servers, #MSExchange, Remote Desktop and more

Syspeace - intrusion prevention for Windows servers

How to block a brute force attack against Windows Servers, Exchnage Server, remote Desktop

If your server or datacenter is targeted by a brute force attack a.k.a dictionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.

However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 6,5 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Server including the webmail (OWA) and SMTP connectors, Citrix, Sharepoint,SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not constantly monitoring logfles.

On this blog, https://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

By Juha Jurvanen

Syspeace crashes / not starting due to database growth over 4 GB

Syspeace crashes / not starting due to database over 4 GB

Syspeace is a brute force prevention software for Windows Servers, Exchange Servers, RDS and more.

One issue with the current version of Syspeace is the scenario where the Syspeace GUI can’t be started and Syspeace crashes due to it’s database growing too large and here is why.

When the database called SCDB1.sdf (located in the Syspeace installation directory) grows above its built in limit of 4 GB, Syspeace stops working and the GUI can’t be started, nor does Syspeace block any new brute force attacks.
This is due to a limitations of database groxth and the way Syspeace stores entries within the database in the current version (2.5.2).

Here is a (blurry) picture of the error message. It’s basically a .Net error message saying that the database has grown larger than its built in limitation.

syspeace crashes database 4 gb

Solution / Workaround

The easiest way to workaround this limitation is to stop the Syspeace service and simply delete the database and set up your rules and settings again. This will mean setting up your whitelists, entering licensnumber, rules and so on.

Preparing for this scenario

It is easy to be prepared for this though. Simply export all of the Syspeace settings using the Syspeace GUI ( Export settings/ and click the “Check all” in the top right ) and keep the DefaultSettings.syspeaceSettings in the Syspeace installation folder. Remember to do this every time you apply changes to your settings.
This will ease the workaround-fix from the aspect that you only need to stop the Syspeace service,delete the database that and then restart Syspeace thus having it automatically import all of your settings.

There is also the advantage of being able to distribue the DefaultSettings.syspeaceSettings-file to other servers in case you have multiple installations or you’re planning on expanding your Syspeace usage.

Simply install Syspeace on the next server, copy the DefaultSettings.syspeaceSettings to the installation directory and your configuration is set to the same parameters as the first one, including whitelists, license number, email settings and so on.

By Juha Jurvanen

Sad to see Cyberarms fail

Sad to see Cyberarms fail

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Today, I had a look at the Cyberarms website since I of course like to see what’s going on out there. I liked some of their ideas and I did see potential in there.

To my surprise they have decided to quit developing Cyberams and also to completely halt their operations apart from licensing renewals.

Their deficit is 250 000 euro so that saddens me of course when any business venture fails.
It’s never just a job for people in my line of work and as a business owner I do know what the owners and CEO and everyone is going through. It’s absolutely horrible with sleepless nights, feeling of failure and everything.
To develop a product and a software, especially for a new kind of thinking in terms of security, and actually getting system administrators, CEOs, CTOs and so on to realize actually that it needs to be in place isn’t easy and it’s very important to keep track of costs and also to know that development is moving forward as expected.
It’s not always a good thing to be some of the first in their field. Especially to try to make it commercially. Having the right people , business plan and everything is crucial.

Still, the need for a good and stable brute force prevention software for Windows Servers is still just as valid and important as ever. If not even more, considering all the private and public cloud solutions that are emerging. For instance, remember, Syspeace was born out of necessity from the Cloud Service rCloud Office at Red Cloud IT in Sweden.

Cyberarms will release their source code to customers with more than 250 licenses so there is always the possibility that it will be developed further but most likely only for the use at those customers inhouse and for their own needs.
To uphold a software and keep developing it when written by someone else can be very time consuming indeed and as a developer you also need to get new ideas from the guys who had the original idea.
Even though the person with the idea isn’t the same one who actually writes the code, that person is still often the one with the vision and ideas for the next level and what it should actually be.

For obvious reasons I am prone to using Syspeace but it still made me sad to see Cyberarms fail.

In the case of Cyberarms, one of the unfortunate miscalculations was that there was a free version that blocked x amount of attacks per day. The rest weren’t blocked.
For some system administrators, that was enough (I don’t really see why that would be enough . I mean , let’s block these three attacks but let these other 50 keep going but .. anyway …. ) so Cyberarms basically gave away a semi-full protection thus not getting the licenses sold needed to be able to further develop the product and to keep marketing and staff and etc.

This was also discussed in the Syspeace team as a possible way to reach out to new customers but we decided to make it a fully functional trial instead since we did see the risk in what happened to Cyberarms would happen to Syspeace too i.e. people only using the free version and being content with the semi-full functionality.

So, as sad I am to see them go, hopefully this might at least have more users and sysadmins to have a look at Syspeace for Windows Server protection. Regardless if it’s RDP, Citrix, SQL, Exchaneg OWA and more. If it’s reachable, people will try to brute force it.
The problem is there and now there’s one less security software to choose from to protect from it.

Juha Jurvanen

NTLM settings and other fun labs searching for missing IP adresses in eventid 4625 or trying to get RemoteAPP to work well with RD Client on iPad, Android and even Windows!

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Using SSL causes mssing IP adresses in eventid 4625 and to get them back .. disable NTLM ? Nope. Not really an option

Today I took me a lab day to actually sit down and spend time with the NTLM settings and the RDWEB and try it out on various platforms and do some more or less scientific testing.
In short, I’äm not impressed by how Micropsoft has actually implemented parts of ther stuff..

I used Windows 10, RD Client for IOS and RD Client for Android. The server infrastructure was a Windows Server 2008 R2 with valid SSL certficates for all services.

The underlying problem is basiaclly that if you use an SSL certificate for your RDP connections , failed logins aren’t correctly dispalyd , i.e. your missing IP adresses in eventid 4625. (When not using an SSL certficate , it is recorded but then your users and customers get a lot of warnings when connecting to your servers and some things just donät work very well sucha as the Webfeed for RD Web)

Syspeace is a Host Intrusion Prevention Software that uses this inormation about the source IP address to block brute force attacks against Windows Servers.

One way around this is to disable incoming NTLM traffic and sure enought , all IP addresses are recorded.

The downside is .. only “full” RDP connections will work meaning that for instance connections to a server desktop works fine but if you’re really into RemoteAPP (and that’s the way I want to go and a lot of tekkies with me) you’ll be running into problems.
And, by th way.. frankly, full desktop session don’t work either from IOS (at least remote Desktop Client 8.1.13 and my iPad, they do from Android though, same server, same username and so on)

Not even Windows really working correctly when disabling NTLM ?

I also did some testing for fun by creating a .wcx file and oddly enough. In order to get that to actually work with Windows 10 (and I’m guessing it’s the same for Windows 7 and so on ) , It just refuses to connect to the RemoteApp service if incoming NTLM is disabled.
I can howerver start a normal Desktop Session against the server so, what I would claim is that the fault is actually within RD Web and the way it handles authentication, requiring some parts to be using NTLM.
The usual RD Web login interface works so far that I can login and see the resources but I can’t start any applications from it. No errors, nothing.
If enabling NTLM, I can start the applications just fine. Once again. NTLM has to be enabled in order for full functionality 🙁

So, basically, if I change the policy settings for the RD Server not to allow incoming NTLM traffic in order to be able to actually handle a bruteforce attack and also keep track of failed logins with informaion that’s actually useful for me as a sysadmin and CSO

These are by the way the settings I’m referring to

Computer Configuration\Windows Settings\Security Settings\Security Options

– Network security: LAN Manager authentication level — Send NTLMv2 response only. Refuse LM & NTLM
– Network security: Restrict NTLM: Audit Incoming NTLM Traffic — Enable auditing for all accounts
– Network security: Restrict NTLM: Incoming NTLM traffic — Deny all accounts

Regardless of how I try, I can’t get it to work to actually add remoteapp resources (or Remote Resource Feed) neither Windows 10, nor IOS, nor Android.

So, what are the implications of this ? Does it matter ? Do we need the source IP address in 4625?

First of all, the way this is handled within Windows Server is an absolut nightmare and frankly, just usesless and I can’t see any reason for Microsoft developers to leave the IP address out when using SSL certificates or at least have another entry in the eventlog for it containg useful information.
It’s not possible to handle brute force attacks natievly within Windows Server as I’ve written about many times earlier.

The biggest problem is of course that if someone tries to bruteforce your server, then how will you stop the attack ? How do you gather evidence ?
If your’e running a larger server environment and hosting customers and so on , you’ll have no way of knowing what attempts are legitimate customers and user and which ones aren’t really.
You can hardly shut down your services can you ?

At the moment , I don’t have a good solution to this problem. Syspeace catches lots and lots of bruteforce attacks for me but these ones it can’t since it doesn’t have any IP address to block.
I’m just hoping for Microsft to actually solve this on the server side since that would be the easiest fix for them I’d say.
Of course they also neeed to get the RDP clients working for all platforms but basically it should be working with NTLM2 at least and also to log the failed logon request correctly if using an SSL certficate. Anthing else is just pure madness and stupidity to be honest and someone should get fired for not thinking ahead.

By Juha Jurvanen @ JufCorp

The anatomy of hacking attacks and a few countermeasures

konsult inom backup It säkerhet molntjänster hacking attacks

Various hacking attacks against servers and users

First of all, there are multiple types of hacker attacks and they all have different purposes.
There are also many different types of hackers and they all have cool names like “White hat” hackers and “Black hat” hacker.
The White Hat ones are usually the security experts hired at a company to check and verify the IT security measures at other companies.
The Black Hat hackers are not. They’re the ones to be afraid of.
I’m neither of them. I’m simply a consultant and the best of these guys know far more about theses things than I do but still, I thought I’d run through a few common attacks targeted to accomplish various things.

There are many reasons why an attacker wants to hack you.

It could be hacktivism and political reasons or an attempt to gain access to your server to be able to use it for hacking others (basically they want access to your CPU, RAM and disk to hide stolen data and tools, mine for Bitcoins or whatever and to have an IP address to use, not leading back to their own).
There’s a few very cool and easy ways to hide files on servers that ar more or less impossible to find such as hiding a file “behind” another file and so on.

Of course in some cases it can also be about trying to steal company secrets (industrial espionage), possibly a former (or current for that matter, internal data theft and hacking is far more common than you’d expect) discontent employee looking to sabotage or looking for revenge or in some cases, just for the fun of it to see if it can be done.

The pre-run. Checking out your site, server with portscans and bruteforce atttacks

First of all, any hacker will need to know what you’re running and what it looks like. “Know thy enemy” so to speak.
Usually a portscan of your servers will reveal quite a lot of information and there are loads of tools to do this, quietly, undetected and efficiently such as nmap or even Google actually.

In order to make it a bit more difficult for them I’d suggest you have your firewall correctly configured for blocking portscans, your servers on a DMZ and also to hide any banner revealing what software you’re running and what version. This can’t be done with all software I’m afraid but the ones that you can, please consider doing so.
For a hacker to know exactly what you’re running will only make his/her life much easier since all they do is to start
looking for any known vulnerabilities and so called exploits to that software and version.
Usually software developers have released a patch but unfortunately, a lot of software never gets updated in time due to the old “if it works, don’t fix it” attitude among a lot of server tekkies and hosting providers.

Another thing is to move all default pages and scripts (or delete them if you’re not using them) to make a bit more difficult to figure out what you’re actually running and how it is setup. Have for instance 404 error messages redirected to the start page or Google or your worst competitor and also 403 errors ..

DoS attacks and DDoS attacks and also hiding behind them.

A DoS attack is a “Denial of Service” attack which means that your server is in some way attacked and made to stop servicing your clients / users or customers the way it’s supposed to, for instance your webmail / OWA or a webshop or RDP services.

This can be accomplished in many ways. A DDoS attack is a DoS attacked but with the difference that it is a Distributed DOS attack meaning there are a lot of more computers involved in doing the attack.
These attacks often have the main purpose of taking a website down by overloading it really.

If you’ve got a web server servicing for instance a webshop and a hackergroup for some reason don’t like you, they’ll get a few hundred thousand computers around the world to ask for a specific document or picture on your website, thus overloading it so it can’t really service your customers since the server is busy handling the bogus requests.

It is not uncommon also for a hacker to hide behind these attacks to try and find out what kind of countermeasures you have in place such as Syspeace. The idea behind it is basically to became invisible in all the log noise a DDoS attack generates.

Worst case, hacking attacks such as this can actually go on for weeks and it has happened often. That is also simply an extortion. “If you pay us this and this much , your webshop will be back online again, otherwise not”. For some companies this of course could be an absolute disaster, imagine for instance around the Christmas sales.

Now, it might sound impossible to find a few hundred thousand computers to get such an attack underway. It’s not. They’re out there in botnets spread over VPS and physical machines and they’re for hire even. Including a trial run and with support.
Brave new world ..

There are ways to handle these attacks. For instance increasing the service capacity on the server, increasing you bandwidth and also have a talk with your ISP on how to mitigate the attacks if they have solutions in place for it. You could also have for instance a powerful SNORT server in front of the firewall to get rid of some of the traffic. You should also have Syspeace in place for handling the bruteforce atatcks

Poorly updated applications or neglected updates and 0day exploits

If a server is poorly updated and the application/website is sensitive for instance that the hacker simply adds some code against the webaddress trying to browse the file system on the server then this can also render in a DOS attack or even worse, the attacker gets hold of the users and administrator/ root passwords. Once they’ve got that, your pretty much ..well. you won’t be having a good day. Basically you need to make sure your webserver is always correctly updated, and you also need to make sure that the underlying file system can’t be reached from the outside more than absolutely necessary.
Make sure you checked every directory and path on the website and what actually is reachable, writeable and browsable. If you’ve got pages you don’t want indexed then hadndle that in the robots.txt or have them secured behind a user login page.If you’re running a Wordporess site, make sure you hav alarma set up for outdated plugins, changes to files and so on and and make sure to deal with it asap.

Unfortunately, from time to time there are also so called 0day exploits out in the wild and those are very hard to defend yourself against. If get alerted that there is one in the wild for your environment, please keep alert and stay on your toes until a patch is released and follow any best practices released by the vendor! This can also fall under the category viruses and trojans further down.

SQL Injections and badly formatted requests

If the website uses a SQL Server / MySQL or has any input form to validate or gather something, please make sure that the application strips away any characters that could make your server vulnerable to SQL Injections since the SQL Server is usually run with administrative rights making the SQL Server injections being run with high privileges and accessing the operating system.

If you don’t know how the application is written, please contact the developers of it and ask them and have them verify this.

For any part of the website where there are input forms, makes sure that all input is validated in terms of what characters are used and how long the input is.
If a website is poorly written and poorly validated, a memory buffer overflow can occur which basically means that the input is so large or strangely formatted that the server will stop working or even give the attacker access to the servers operating system by overwriting stuff in the RAM in a way that it’s not supposed to.

Viruses, rootkits and trojans.

If an attacker has been able to lure your users to a site that contains infected code (sometimes also called drive by hacking) and the web browser or plugins to it (Java, Adobe, Flash and so on) are sensitive to that particular infections you user might come down with an infected computer.
Depending on what actually has been infected and why the consequences vary of course.

This is often done by sending emails with links to websites or trying to get user to plug in an infected USB stick into their PC.

I’ve heard of companies that have been affected with a virus rendering them unable to work since nobody was allowed to even plug in their computers to the work networks until they could be sure they’d got rid of it. In this case it was a lot of computers so I think it took them 3 week until people actually could start working again, 3 weeks without any work. That’s a costly thing for any company.The same standstill could also come from a ransom virus, basically encrypting all your files and you’ll have to pay money to get the right decryption password.

The way to minimize such a horrible standstill is to make sure that ALL of your devices connecting to the network are properly updated with antivirus products (please do not use the free ones ..ever!) but also you need to make sure that any other software is properly updated . Java, Flash, and the operating system itself .
This also goes for workstations connecting from home and so on or otherwise you might be in for a bad day. You should also be very restrictive when it comes to letting users use USB drives and stuff. They might be infected with something.

MITM – Man in the Middle, proxies and easedropping

If you’ve got a corporate network, you want to know what devices actually are on it and why. If someone for instance sets up a computer and has all of the corporate traffic routed through (by acting a proxy) , all of your communicating is being copied and this can be done in various ways. The same goes actually for you if you’re using public WiFi hot spots which I would never recommend anyone really using. To intercept data isn’t very difficult unfortunately, especially if it isn’t protected by valid certificates.
You need to use valid SSL certificates and there’s no reason to use anything lower that 2048 encryption and you must also disable weak cipher and other stuff before your SSL is correctly set up. Check your configuartion against for instance on Qualsys SSL Labs.
Also make sure that all communications are secured within your network.

Brute force and dictionary attacks.

I’ve written loads and loads on this earlier so I won’t linger on it. A brute force or dictionary attack is basically someone trying to get access to your server by guessing the username and correct password using a large list of common passwords or a dictionary and simply trying them one by one (well, thousands at a time really since its’s automated).

To protect your servers and user you need to have a intrusion prevention system in place. For Windows Servers I recommend using Syspeace (and you can also use Sysepace for protecting web applications you’ve protected through the Syspeace API) and on Linux servers I’d have a look at fail2ban. You should also use and enforce complex passwords.

Anything that comes with a default password for logins (routers, switches, printers and so on) should have the password changed from default!
These are always sensitive to brute force attacks and there are sites on web listing thousandfs of default passwords out there

You should also have a very strict policy to immediately block an employees account as soon as they’re no longer with the company and you should be very careful with what user rights you grant your users since they can easily be misused.
You should also have software in place for managing mobile phones and other devices that your employees have and the ability to wipe them clean if they get stolen or if you suspect internal mischief from an employee.

On site data theft and social engineering.

Well. In a sense , it’s not hacking but it’s more fooling people. Not the initial part anyway.
Basically someone turns up, claiming to be from the phone company, a cleaning company, your IT support company or anything that makes sense and they want access to the data center, server room to “fix” something. This is also referred to as social engineering. First the hacker finds out as much as possible about the company they’re attacking and then use that information to gain access to workstations or servers within the company,

Once they’ve actually gained access, they’ve got USB sticks to insert into workstations or servers , either loading a software into them such as trojans or keyloggers or just something that elevates rights or maybe they’re simply after just copying the data.
It all depends on how much time they have and if they’re alone. In some scenarios it might even just be a trick for them to gain access to backup tapes since all the companys data is on them .
They could also bribe janitors, cleaning staff and so on to steal backup tapes for them since they far too often will have access to the datcenters and they’re
not that highly paid.

There are a lot of tools that can simply put on a USB stick, boot up the server and you can reset administrator passwords, overwrite systemfiles (or plant a trojan or destroy them to render the server unbootable) , steal data and so on and a lot of them are surprisingly user friendly like for instance Hiren’s BootCD

A variation of this is of course people phoning someone up, claiming to be from the IT departement or Microsoft or somewhere, wanting to “help you” with a problem and asking for remote access to your computer. Once they gain access, they’ll do same things. Plant a trojan or a virus or a keylogger and the basically own the computer.

To protect your company data please always make sure you know who and why people are on site, never have anyone come near servers without supervision or the users workstations and if possible, disable any USB ports and always use password protected screen savers.

Every device on your network must also have a good antivirus running in case someone still manages to put an infected USB stick into the workstation.
Also make sure you talk the users about the hazards of giving anyone access to their computer.

If you suspect you’ve been hacked. What to do. Contingency planning

First of all, try to verify that you have been hacked and also try to find out when. In some cases you’ll have to revert to backups taken BEFORE you we’re hacked to be sure that you don’t restore a root kit or something.
This also means your backup plans and DRP plans need to take these scenarios into account so don’t be cheap with the number of generations you actually save.
You might need something from 6 months ago.

Try to find out what happened, when it happened, how it happened and have it fixed before you allow access to the server again. There’s no sense in setting the same flawed server up again. It will only be hacked again,

Don’t be afraid to make it a matter for the police. They need to know about it and they want log files and any documentation you may have.

When you get the server up and running again (or preferably before you’ve been hacked) make sure to have monitoring set up for the server. If it’s a website for instance, you want to be alerted if anything changes on in the html code for website for instance, or if the site is responding slowly (this doesn’t have to mean you’ve been attacked but could point to other problems also such as disk problems, misconfigured server settings or ..well..anything really. In any case you want to look into it.)

So , these were only a few methods and there a loads and loads more of them .

I’ve written a few other blog articles on securing servers, data centers and on brute force prevention and here’s a few links to previous articles. Most of are copied from older blogs and I do admit I haven’t nor proofread them nor formatted them for this site yet. I will. Eventually.

Articles by Juha Jurvanen on securing your server environments

Securing server environments – Part I – Physical aspects

Securing server environments – part II – Networking

Securing your Windows servers and MSExchange with an acceptable baseline security | Syspeace – Brute force and dictionary attack prevention for Windows servers

Windows Server intrusion prevention for Cloud providers and hosting providers

Should you need consulting or ideas on these questions or on backup/restore or on building cloud services / migrating to cloud services ,
I’m reachable by clicking the link below.

Juha Jurvanen – Senior IT consultant at JufCorp”>By Juha Jurvanen – Senior IT consultant at JufCorp