Archives for small business server

Syspeace rapport – Exchange Server attackerad över 400 gånger på några timmar

konsult inom backup It säkerhet molntjänster och infratruktur Att göra en server nåbar över Internet , oavsett vad den gör, kommer per automatik att att göra den till måltavla för olika typer av intrångsförsök.
Det finns många olika typer av intrångsförösk och även med olika syften. En del attacker handlar om att på ena eller andra sättet få kontroll över hårdvara som CPU, RAM, Disk för att användas i andra attacker. Andra attaker syftar till att stjäla data och en del försöker bara använda t.ex. en mail server för att gör s.k. realying d.v.s skicka SPAM meddelanden eller andra mail via en mailserver för att inte riskera att ens egen IP adress bli svartlistad. Här är en tidigare artikel jag skrev om olika typer av hacking attacker . OBS . På engelska.

Den här listan nedan är ett bra exempel på precis en sån attack som inträffade igår och är en automatisk genererad Syspeace rapport som kommer per mail till systemaadministratören.
Varje rad är alltså en Ip adress som försökte använda min mailserver till att skicka ut SPAM mail .
Samtliga attacker blockerades dock automatisk av Syspeace.
Notera gärna timmarna mellan kl 08 – 12 längre ner i sammanställningen på antalet attacker per timme.

Report for 2015-05-12

IP address Times Host name and country
——————– —– ——————————-
1.52.87.190 3 ; Vietnam (VN)
1.52.122.126 3 ; Vietnam (VN)
2.186.14.221 3 ; Iran, Islamic Republic of (IR)
2.189.154.42 3 ; Iran, Islamic Republic of (IR)
5.219.42.205 3 ; Iran, Islamic Republic of (IR)
5.223.24.99 3 ; Iran, Islamic Republic of (IR)
5.223.104.20 3 ; Iran, Islamic Republic of (IR)
5.251.38.50 2 ; Kazakhstan (KZ)
14.99.136.249 3 static-249.136.99.14-tataidc.co.in; India (IN)
14.161.37.108 3 mail.ttp.net.vn; Vietnam (VN)
14.169.155.10 3 ; Vietnam (VN)
14.169.222.5 3 ; Vietnam (VN)
14.177.134.252 2 ; Vietnam (VN)
27.3.128.183 3 ; Vietnam (VN)
27.77.34.63 3 ; Vietnam (VN)
27.77.135.131 3 ; Vietnam (VN)
27.77.144.136 2 ; Vietnam (VN)
27.79.105.254 3 ; Vietnam (VN)
27.105.42.42 3 27-105-42-42-adsl-khh.dynamic.so-net.net.tw; Taiwan (TW)
27.106.116.239 3 239.116.106.27-n4um-net4uindia.net; India (IN)
36.37.145.176 3 ; Cambodia (KH)
36.83.229.50 2 ; Indonesia (ID)
37.212.120.220 3 ; Belarus (BY)
37.215.118.21 3 ; Belarus (BY)
37.237.204.87 3 ; Iraq (IQ)
39.32.30.128 3 ; Pakistan (PK)
41.252.185.60 2 41.252.185.60.adsl.km4.dynamic.ltt.ly; Libya (LY)
41.254.2.208 3 41.254.2.208.zte-tip.wimax.dynamic.ltt.ly; Libya (LY)
41.254.9.101 2 ; Libya (LY)
46.99.147.11 3 ; Albania (AL)
46.100.132.7 3 ; Iran, Islamic Republic of (IR)
58.187.106.146 3 ; Vietnam (VN)
59.88.207.6 2 ; India (IN)
59.90.243.106 2 static.chennai.mp.59.90.243.106/21.bsnl.in; India (IN)
59.95.143.222 3 ; India (IN)
59.97.206.213 3 ; India (IN)
59.98.1.61 3 ; India (IN)
60.172.95.98 1 ; China (CN)
77.242.28.138 3 ; Albania (AL)
77.247.94.71 2 ; Albania (AL)
78.8.153.141 3 dynamic-78-8-153-141.ssp.dialog.net.pl; Poland (PL)
78.110.160.161 4 logistics1.openearth4.com; United Kingdom (GB)
78.152.183.58 2 ; Ukraine (UA)
79.106.12.167 3 ; Albania (AL)
79.129.40.59 2 scdental.static.otenet.gr; Greece (GR)
83.111.204.10 1 ; United Arab Emirates (AE)
85.96.192.37 3 85.96.192.37.static.ttnet.com.tr; Turkey (TR)
85.113.53.5 3 dynamicip-85-113-53-5.pppoe.samara.ertelecom.ru; Russian Federation (RU)
88.248.172.102 3 88.248.172.102.static.ttnet.com.tr; Turkey (TR)
92.55.100.130 3 ; Macedonia (MK)
93.74.5.218 3 ambassador.appraise.volia.net; Ukraine (UA)
93.91.194.24 3 ; Iraq (IQ)
93.117.11.244 3 ; Romania (RO)
94.178.105.94 3 94-105-178-94.pool.ukrtel.net; Ukraine (UA)
95.56.242.70 2 ; Kazakhstan (KZ)
95.188.132.199 2 ; Russian Federation (RU)
95.188.138.142 3 ; Russian Federation (RU)
103.14.251.218 3 218.loopback.sinet.com.kh; Cambodia (KH)
103.23.51.24 3 ; Mongolia (MN)
103.39.156.142 3 ; N/A (–)
103.247.239.55 3 ; Bangladesh (BD)
104.149.254.98 3 ; N/A (–)
108.13.189.113 1 static-108-13-189-113.lsanca.fios.verizon.net; United States (US)
109.66.42.117 3 bzq-109-66-42-117.red.bezeqint.net; Israel (IL)
109.188.125.10 3 client.yota.ru; Russian Federation (RU)
109.188.126.4 2 client.yota.ru; Russian Federation (RU)
113.160.225.43 3 static.vdc.vn; Vietnam (VN)
113.162.122.116 3 ; Vietnam (VN)
113.163.99.246 3 dynamic.vdc.vn; Vietnam (VN)
113.169.5.43 3 EUROPA.JUFCORP.COM; Vietnam (VN)
113.182.12.8 3 EUROPA.JUFCORP.COM; Vietnam (VN)
113.182.44.52 3 EUROPA.JUFCORP.COM; Vietnam (VN)
113.182.53.185 3 EUROPA.JUFCORP.COM; Vietnam (VN)
113.186.108.210 3 EUROPA.JUFCORP.COM; Vietnam (VN)
113.191.253.254 3 dynamic.vdc.vn; Vietnam (VN)
113.193.189.62 1 ; India (IN)
115.72.235.46 3 adsl.viettel.vn; Vietnam (VN)
115.85.46.82 3 82.46.85.115.dsl.service.eastern-tele.com; Philippines (PH)
115.97.81.229 2 ; India (IN)
115.118.237.21 3 115.118.237.21.static-mumbai.vsnl.net.in; India (IN)
115.248.39.17 3 ; India (IN)
116.106.42.185 3 ; Vietnam (VN)
116.111.6.136 3 ; Vietnam (VN)
116.111.65.141 3 ; Vietnam (VN)
116.111.110.135 3 ; Vietnam (VN)
116.111.202.214 3 ; Vietnam (VN)
116.118.39.241 1 ; Vietnam (VN)
116.202.34.111 3 ; India (IN)
117.6.209.45 3 ; Vietnam (VN)
117.192.221.94 2 ; India (IN)
117.196.150.228 3 ; India (IN)
117.197.98.6 1 ; India (IN)
117.197.103.89 2 ; India (IN)
117.200.120.8 2 ; India (IN)
117.206.187.240 2 ; India (IN)
117.206.190.40 3 ; India (IN)
117.207.48.68 2 ; India (IN)
117.217.112.199 3 ; India (IN)
117.217.132.132 3 ; India (IN)
117.220.153.136 2 ; India (IN)
117.222.68.125 2 ; India (IN)
117.223.117.142 3 ; India (IN)
117.242.204.189 2 ; India (IN)
118.71.185.84 3 ip-address-pool-xxx.fpt.vn; Vietnam (VN)
118.137.210.68 3 fm-dyn-118-137-210-68.fast.net.id; Indonesia (ID)
119.59.122.239 2 ; Thailand (TH)
120.60.134.142 3 triband-mum-120.60.134.142.mtnl.net.in; India (IN)
120.72.88.221 3 ; India (IN)
120.206.3.2 2 ; China (CN)
122.160.41.49 3 abts-north-static-049.41.160.122.airtelbroadband.in; India (IN)
122.161.169.72 2 abts-north-dynamic-072.169.161.122.airtelbroadband.in; India (IN)
122.169.71.69 2 abts-mum-dynamic-069.71.169.122.airtelbroadband.in; India (IN)
122.176.9.144 2 abts-north-static-144.9.176.122.airtelbroadband.in; India (IN)
123.20.208.52 3 ; Vietnam (VN)
123.23.107.243 2 ; Vietnam (VN)
123.23.119.68 3 ; Vietnam (VN)
123.26.33.67 3 EUROPA.JUFCORP.COM; Vietnam (VN)
124.248.189.95 3 fiber-189-95.online.com.kh; Cambodia (KH)
139.228.227.58 3 fm-dyn-139-228-227-58.fast.net.id; Indonesia (ID)
151.233.102.88 3 ; Iran, Islamic Republic of (IR)
159.224.41.1 3 1.41.224.159.triolan.net; Ukraine (UA)
171.224.128.102 3 ; Vietnam (VN)
171.224.192.59 3 ; Vietnam (VN)
171.249.123.136 2 ; Vietnam (VN)
178.90.76.90 3 178.90.76.90.megaline.telecom.kz; Kazakhstan (KZ)
178.91.64.52 3 178.91.64.52.megaline.telecom.kz; Kazakhstan (KZ)
178.91.90.125 3 178.91.90.125.megaline.telecom.kz; Kazakhstan (KZ)
178.122.98.193 2 mm-193-98-122-178.brest.dynamic.pppoe.byfly.by; Belarus (BY)
178.122.120.116 1 mm-116-120-122-178.brest.dynamic.pppoe.byfly.by; Belarus (BY)
179.24.79.20 3 r179-24-79-20.dialup.adsl.anteldata.net.uy; Uruguay (UY)
182.56.2.58 3 static-mum-182.56.2.58.mtnl.net.in; India (IN)
182.56.164.66 2 static-mum-182.56.164.66.mtnl.net.in; India (IN)
182.56.207.163 2 static-mum-182.56.207.163.mtnl.net.in; India (IN)
182.68.19.114 1 abts-north-dynamic-114.19.68.182.airtelbroadband.in; India (IN)
185.23.124.43 3 ; Saudi Arabia (SA)
188.121.117.89 3 ; Iran, Islamic Republic of (IR)
190.81.45.19 3 ; Peru (PE)
190.187.12.84 3 ; Peru (PE)
190.239.96.110 3 ; Peru (PE)
191.101.31.118 1 ; Chile (CL)
193.110.72.211 3 ; Ukraine (UA)
193.238.128.178 4 193.238.128.178.sta.211.ru; Russian Federation (RU)
194.158.210.210 3 ; Belarus (BY)
197.200.18.195 2 ; Algeria (DZ)
202.63.116.173 3 173-116-63-202.southernonline.net; India (IN)
203.189.159.71 3 ; Cambodia (KH)
211.99.28.17 2 ; China (CN)
212.34.12.182 3 ; Jordan (JO)
212.164.234.254 2 b-internet.212.164.234.254.nsk.rt.ru; Russian Federation (RU)
213.55.109.85 2 ; Ethiopia (ET)
213.55.115.35 4 ; Ethiopia (ET)
213.110.98.167 3 ; Ukraine (UA)
213.230.77.71 3 71.64.uzpak.uz; Uzbekistan (UZ)
213.230.82.48 2 48.64.uzpak.uz; Uzbekistan (UZ)
213.230.82.223 3 223.64.uzpak.uz; Uzbekistan (UZ)
213.230.83.74 1 74.64.uzpak.uz; Uzbekistan (UZ)
217.12.116.218 3 static.217.12.116.218.tmg.md; Moldova, Republic of (MD)
217.146.251.100 3 207302.user.farlep.net; Ukraine (UA)
220.231.122.253 3 ; Vietnam (VN)
222.74.81.42 2 42.81.74.222.broad.wh.nm.dynamic.163data.com.cn; China (CN)
222.252.223.2 3 ; Vietnam (VN)

Hourly breakdown (blocks per hour)
00 x4
01
02 x2
03 x1
04 x2
05 x1
06
07 x1
08 x69
09 x64
10 x13
11 x252

12 x4
13 x1
14 x2
15
16 x2
17 x3
18
19
20 x2
21 x4
22
23

Generated 2015-05-13 00:04:01 for machine europa.jufcorp.com by Syspeace v2.5.2.0

För mer information om hur du kan skydda era servrar från ordboksattacker , kontakta mig här

How to battle slowgrind #bruteforce attacks against #msexchange #windows server #remotedesktop #sharepoint with #Syspeace

Syspeace automatically blocks attacks that occur according to the rules.
The default rule is that if an intruder fails to login more than 5 times within 30 minutes, the intruders IP address is blocked, tracked and reported for 2 hours and simply is denied any access to the server.

A new trend though has emerged and that is for bruteforce attackers to “slowgrind” through servers, trying to stay “under the radar” really from IDS/IPS HIPS/HIDS such as Syspeace.
They’ve got thousands and thousands of computers at their disposal so they’ll basically just try a few times at each server and then move on to next one in the IP range or geographical location hoping not to trigger any alarms or hacker countermeasures in place.

An easy way to battle this is actually simply to change the default rule in Syspeace from the time windows of 30 minutes to for example 5 days.

This way , I’m pretty sure you’ll see there are quite a few attackers that only tried 2 or three times a couple of days ago and they’re back again but still only trying only a few times.

With the “5 day” windows, you’ll catch and block those attacks too.

Here’s actually a brilliant example of an attack blocked, using a 4 day window.

Blocked address 121.31.114.99() [China] 2014-08-11 15:06:00
Rule used (Winlogon):
        Name:                   Catch All Login
        Trigger window:         4.00:30:00
        Occurrences:            5
        Lockout time:           02:00:00
        Previous observations of this IP address:
        2014-08-11 13:05:51     aksabadministrator
        2014-08-10 22:06:48     aksabadministrator
        2014-08-10 06:39:12     aksabadministrator
        2014-08-09 15:39:52     aksabadministrator
        2014-08-09 00:32:05     aksabadministrator

Syspeace has blocked more than 3 285 300 intrusion attempts against Windows Servers worldwide so far.

Syspeace - intrusion prevention for Windows servers

Syspeace website

#infosec Is there a need for intrusion prevention for Windows Servers like #Syspeace?

Syspeace icon

Syspeace icon

What is a brute force attack or dictionary attack really and how would Syspeace help?

Essentially it is someone who is trying to guess the right combination of username and password to gain access into your serveers for example a Microsoft Exchange Serve and the OWA (Outlook Web Access), Terminal Server/RDS (Remote Desktop Server), Sharepoint, SQL Server, Citrix and so on.

The attacker uses automated software to try to guess the right combination to be able to login and steal data or to elevate their rights. One attack can render in thousands of login attempts, it can go on for hours or days and it is a heavy load for the server to handle that in regards of CPU, RAM, network traffic and so on.
Each login request has to validated and checked if it is legitimate or not.

A comparison of a brute force attack and the real world be be this (this is an excerpt from the Syspeace website)

Imagine that your company has a physical facility. If someone repeatedly tries to gain access with a fake key or invalid key card, you would expect that your security guards would notice and not let the intruder through

Aren’t there builtin protection into Windows Server against these attacks ?

In short. No.
The only built in mechanisms in Windows Servers are basically the ability to enforce strong passwords and to enable account lockout.

To enable strong passwords is a good thing, even if you’re running an intrusion prevention software for Windows like Syspeace.
If you have easy-to-guess passwords, it won’t really matter what protection you’re sunning since if a login is valid, no software would block it anyway. A valid username and password is always a valid login. So, please ensure you require users to use strong and complex passwords and allow for Syspeace to capture the attack.

The second method , ie. account lockout, might actaully do you more harm than good and here’s why.
If the system you’re protecting is for instance an Exchange Server or an RDS Server and it is probably facing he Intenet to provide service for your users or customers. To figure out a username doesn’t have to be that complicated fo an attacker. They’ll first try to understand the email policy naming convention, scavenge the Internet for metadata and the simply start trying to login using the email address as the username (since this is quite often a valid login name) and try guess to guess the password.

If you’ve enabled the Account Lockout Policy the affected users accounts will be constantly locked since the attacker will automate the attack and try thousands of time for each user they know are in the system.

If you’ve been hit with an attack and it is just from a single IP address, you’d probably just block it in the Windows Firewall (or the external firewall) and unlock the affected users accounts and that’s it. Hopefully you’d also report it.

Now, what if the attack is actually done from hundreds or thousands of computers at the same time ? Blocking them manually isn’t really an option is it ?
One simple and quick solution is to download the fully functional trial of Syspeace , install it and have Syspeace block, track and report the attack.

How can Syspeace help as an Intrusion Prevention for Windows Servers and do I set it up?

The idea behind Syspeace is the ease of use and independence from other software and appliances and also not to enforce a change in your network or infrastructure.

Some systems require you to change your entire infrastructure and put for instance a high performing proxy appliance or server in front of the network. Other systems are bundled with antivruses and other systems, requiring you use consultants and experts to get the systems running.

Syspeace is simply installed on the servers you want to protect. The installation process takes about 4-5 minutes maximum and that’s it. You’re done. The server is protected against brute force attacks. Out of the box.
Th Syspeace GUI is easy to understand and easy to manage. You don’t have to be a security expert to manage Syspeace.

If you want to move a Syspeace license from one server to antoher , that’s also easily done thanks to the floating licensing model within Syspeace. The length of the license can also vary so you’re not forced into buying a 1 year license if you don’t want to . You can a license fo 1 month. or 3 months, Whatever suits your needs.

The pricing of Syspeace is more or less equivavlent to an antivirus and it is a per-server based licensing so it’s not based up on the number of users you’re servicing. 1 license, 1 server. That’s it.

These are some of the features included in Syspeace

.

Secure login attempts on Windows server
The Windows server is secured by watching the result of the Logon process. If multiple logon attempts fails, actions can be taken. This works on Windows Server 2003 and on and is also automatically protection for Remote Desktop Services, Sharepoint, Exchange OWA, Citrix and basically anthing that renders an eventid of 4635 or eventid 529 (we do monitor more events also)

Secure login to Exchange Serevr SMTP connectors
The Exchange server is usually exposed by the OWA web site that is a part of Exchange. Syspeace not only protects the OWA but also logon attempts made by connectors.

Secure login to SQL Server
Many SQL-server installations expose a logon-possibility either by AD-integration or by logon by using SQL Authentication. Syspeace protects both methods

Multiple customizable rules
Syspeace can be tailored to fit your specific needs by customizing the rule-base. The rules are executed in real-time on all successful and unsuccessful logon attempts and appropriate measures are taken.

Send mail when a block is done
Whenever a block (rule) is entered in the firewall, you have the option to be notified by mail.

Send daily mail with aggregated intrusion information both as plain text and attached CSV file
Each day, there is a summary created that you can have mailed to you or the people that you see will benefit from it.

Send weekly mail with aggregated intrusion information both as plain text and attached CSV file
If the daily summary is too granular, a weekly summary is also available in the same way.

Uses local whitelist
Some computers should never be blocked in your environment. These computers can be listed in a local Whitelist so that Syspeace will never block these IP addresses.

Uses local blacklist

The local blacklist is a opportunity to force a block to a specific set of computers that you never want to connect to your server.

Uses global blacklist
Syspeace comes with a Global Blacklist. This list is maintained by Syspeace central servers and distributed once a day to your Syspeace installation. The Global Blacklist contains computers that have tried to break the security on many other sites that run Syspeace.

Searchable log of login/intrusion attempts
Syspeace have the ability to in a very easy way present information about who is attacking you and when it happened. The data is searchable, aggregated and presented in a matter of a few simple clicks.

View information on why a block was made
A block may be initiated from many different sources. Together with the block is also information stored about the origin. It is always possible to back track a block.

Access report to quickly find related information in the attempt log
The Access report takes the reporting to a new level. Here, it is possible to further aggregate and investigate what happens to your server.

Updates are free and new features are included. We’ve also released the ability write your own Syspeace Detectors thurough the Syspeace API to protect for instance a webapplication or write a special detector for your Windows applications.

Who should use Syspeace then ?

Syspeace isn’t targeted at any special types of environments or companies, we believe that Syspeace is a natural part to use for any server administrator, regardless of if you’re a Cloud Service provider or managing you own servers or if you’re an outsourcing company, hosting company or even if the servers are physical or virtual.
Syspeace can help in any scenario so the short answer is, any system admininstrator managing a Windows Server from Windows Server 2003 and on really.

It is not a “silver bullet” for security but a piece of the security puzzle we believ you’ll need to ensure the protection of your users or customers and it solves a problem easily that no one hasn’t really been able to handle earlier.

If yuu’re up for reading more about intrusion prevention for Windows Servers, please have a look at the earlier articles written here on this blog or have simply go to the Syspeace website for more information and download a trial.

Syspeace - intrusion prevention for Windows servers

Syspeace website

Block intrusion attempts against #windowsserver with Syspeace

http://www.syspeace.com/syspeace-protection/

#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange

Syspeace - intrusion prevention for Windows servers

Syspeace website

Is your VPS used for brute force attacks?

or I could also have called this post “Do you know whom your VPS is hacking today?”

A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS

The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.

What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .

There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.

The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.

In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.

Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.

What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.

You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.

Most Cloud Service Provers could inplement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/

Your “neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.

By Juha Jurvanen @ JufCorp

#Infosec When and where is Syspeace useful for intrusion prevention ?

In what scenarios Syspeace is useful for preventing brute force attacks? Do I need it if I’ve only got a Windows workstation?

Syspeace - intrusion prevention for Windows servers

Syspeace website

Syspeace is an intrusion prevention software mainly targeted for Windows Servers, SBS Server, RDS TS Servers, RDWeb, Sharepoint Servers, SQL Server, Exchange, Sharepoint, Citrix and so on but it will also run on Windows 7 and above for home use.

To have a real use for Syspeace these conditions need to be met

1. You need to have enabled remote access to your server / workstation.

2. You need to have set up some kind of portforwarding in your external firewall to your server / workstation. If you are for instance on a standard broadband connection and you haven’t done anything with the default rules in your boradband modem, your workstation is probably not reachable from the Internet thus making a Syspeace installation quite unecessary and waste of RAM and COPU for you, minimal of course but still. There is no need to have software installed in any computer environment that actually doesn’t do anything for you. It’s a waste of resources.  

3.The same goes for servers although in a server environment you might want to have Syspeace installed to monitor and handle internal brute force attacks since Syspeace works just as efficently whetheter the attack is externla or internal. It will even block a workstation trying to connect to netowrk shares via the command prompt using “net use * \servernamesharename” command. Have a look at his entry for instance http://syspeace.wordpress.com/2013/09/25/syspeace-for-internal-brute-force-protection-on-windows-servers/

4. There could be a scenario where you have for instance your own hosted WorPress Blog that is reachable from the Internet . Please refer to http://syspeace.wordpress.com/2013/04/24/syspeace-for-protecting-wordpress-from-brute-force-attacks/ for an idea on brute force prevention for WordPress Blogs.

5. In server envirenments you might have Syspeace installed not only for intrusion prevention but also to have a good reporting on various user login activity that can be viewed and exported in the Access Reports Section.

6. If you’re using mainly Cloud Services or a managed VPS ,the intrusion prevention should be handled by your Cloud Service Provider . Here’s an older blog post on how to have verify how your provider handles hacking attacks : http://syspeace.wordpress.com/2012/11/19/securing-cloud-services-from-dictionary-attacks-hack-yourself/

There is a fully functional, free 30 day trial for download at http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/ .
Give it a try and have your Windows Server instantly protected from dictionary attacks and brute force attacks. The installtion is small, quick and very easu to set up. You’re up & running in 5 minutes and there’s no need to chnage your current infrasctructure, invest in specific and usually expensive hardware or hire external consultants.

By Juha Jurvanen @ JufCorp

Using Syspeace also for internal protection and access reporting.

Using Syspeace for internal server protection

Most Syspeace users have the software in place to protect them from mainly from external threats from the Internet such as hacking attempts via bruteforce attacks and dictionary attacks.

Quite often, the internal netowrk ranges are excluded in the local whitelist by sysadmins , thus never blocking anything from those IP addresses or network ranges.

Some of our customers though have also discovered Syspeace to be an excellent tool to keep track of failed internal logins and those might actualy be important to keep track of.

If you’re not keeping track of internal failed login attempts, it might be hard to spot for instance a virus/trojan infected PC on your network that tries to login to every PC and server that is available or if a user is trying to access servers or assets they’re not supposed to. With Syspeace, the attack is automatically blocked, reported and and the sysadmin is alerted that something’s going on.

There can be downsides to not excluding internal IP ranges since there is a risk of for instance blocking a server from communicating with another but if you’re vigilant and think these things through, it’s mostly an administrative task to remember that yov’ve got Syspeace when you’ve changeed an administrators password or whatever.

Creating reports on user logins

Another great feature of Syspeace is the reporting section that enables for sysadmins to create reports and staistics about user logins such as when, from where and even hof often from that locationc they’ve actually been logged in.

For instance, if a user claims to have been working from home in July, it’s quite easy for a sysadmin to actually verify this using the Access Reports section to create .csv files with statistics.
Now, if the IP address for instance originates from Spain and your company is located only in Sweden…

If you’re using a Windows Server-based Cloud Service for instance, it might be difficult for you to get hold of such information, even if you ask for it.

Howerver, if your cloud Service provider is running Syspeace to protect you and other customers it’s a walk in the park for the provider to get you that infomation if you need it for some reason.

Syspeace stores failed and successful login in a local database so even the Windows securiy eventlog is cleared , the information can still be obtained by Syspeace.

Download a free, fully functional trial at http://www.syspeace.com and have your Windows, Citrix, RDS, Sharepoint, Exchange, OWA, RDWEB, SQL servers and more instantly protected from hacking attempts.

By Juha Jurvanen

Syspeace logo

Syspeace – Intrusion prevention for Windows Servers

Tha brand new Syspeace website – now also with worldwide hacking statistics

Finally, the new website is up!

We’ve launched our new website a few weeks back and some of the news, apart from a better design and easier naviagtion, is that we’ve also included a security status page to display statistics based on Syspeace installations that report each hacker attack around the world.

Have a look for yourself at http://www.syspeace.com/security-center/security-status/ . You might find something interesting in there.

The statistis are dfivided into to two columns. The originating country for the attack and the country from where the Syspeace installation reported the attack.

The statistiscs displayed are the last 30 days of hacking attacks and so far Syspeace has blocked more than 1.4 Million brute force and dictionary attacks against Windows server worldwide!

While you’re at the website, download a free, fully functional trial to ptotect your Windows servers, Exchange servers, Terminal / Remore Desktop Services servers, Citrix servers, Sharepoint serevrs, SQL servers and more from brute force and dictioanry attacks.

Syspeace supports Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and the Windows Server Small Business editions.

By Juha Jurvanen

A weekly Syspeace email bruteforce attack report from last week

Here is an example of a real brute force attack report that is emailed weekly to show you what actually is going on all the time against your Windows serevrs.
This is a live report of a live server and the report was generated last night.

Report for week 2013-04-29 – 2013-05-05

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
0.0.0.0 2 ; N/A (–)
1.214.42.122 7 ; Korea, Republic of (KR)
1.232.173.135 2 ; Korea, Republic of (KR)
42.96.192.129 4 ; China (CN)
42.96.196.30 1 ; China (CN)
42.96.197.111 1 ; China (CN)
42.96.198.177 5 ; China (CN)
42.96.199.55 1 ; China (CN)
42.120.18.88 8 ; China (CN)
49.122.23.159 1 ; China (CN)
61.129.79.156 1 ; China (CN)
61.156.31.52 1 ; China (CN)
61.249.236.155 8 ; Korea, Republic of (KR)
69.26.6.109 1 69.26.6.109.westriv.com; United States (US)
78.109.162.101 5 78.109.162.101.srvlist.ukfast.net; United Kingdom (GB)
79.29.159.85 3 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
79.142.244.242 2 ; Sweden (SE)
80.249.133.228 4 ; Russian Federation (RU)
81.137.240.125 1 host81-137-240-125.in-addr.btopenworld.com; United Kingdom (GB)
82.117.209.179 2 ; Serbia (RS)
83.17.7.34 1 akd34.internetdsl.tpnet.pl; Poland (PL)
93.58.120.188 1 93-58-120-188.ip158.fastwebnet.it; Italy (IT)
108.58.246.27 4 ; United States (US)
109.230.223.1 1 mx1.caxetion.com; Germany (DE)
111.75.254.213 1 ; China (CN)
112.220.236.226 7 ; Korea, Republic of (KR)
113.233.86.109 1 ; China (CN)
114.66.217.19 1 ; China (CN)
115.137.121.165 2 ; Korea, Republic of (KR)
118.219.232.216 1 ; Korea, Republic of (KR)
119.206.205.235 5 ; Korea, Republic of (KR)
120.146.130.34 1 cpe-120-146-130-34.static.nsw.bigpond.net.au; Australia (AU)
121.169.81.138 3 ; Korea, Republic of (KR)
121.177.150.13 2 ; Korea, Republic of (KR)
121.177.150.16 3 ; Korea, Republic of (KR)
124.115.26.152 5 ; China (CN)
125.27.52.127 7 node-adb.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.27.55.217 1 node-b15.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.129.38.9 5 ; Korea, Republic of (KR)
153.0.160.97 5 ; China (CN)
164.177.151.65 2 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
187.45.103.91 1 187-45-103-91.mhnet.com.br; Brazil (BR)
193.95.51.61 3 ; Tunisia (TN)
193.192.37.153 1 vpn153-37-192-193.lds.net.ua; Ukraine (UA)
210.183.26.187 10 ; Korea, Republic of (KR)
211.115.158.2 3 ; Korea, Republic of (KR)
212.248.39.250 3 ; Russian Federation (RU)
218.62.27.125 1 125.27.62.218.adsl-pool.jlccptt.net.cn; China (CN)
218.64.204.14 2 ; China (CN)
218.90.136.14 1 ; China (CN)
219.143.3.88 1 ; China (CN)
220.68.224.45 5 ; Korea, Republic of (KR)
220.189.255.21 4 ; China (CN)

Hourly breakdown (blocks per hour)
00 x5
01
02 x4
03 x5
04 x1
05 x3
06 x4
07 x4
08 x9
09 x4
10 x5
11 x16
12 x8
13 x12
14 x11
15 x8
16 x11
17 x5
18 x11
19 x7
20 x5
21 x10
22 x2
23 x4

– 2013-04-29 —

IP address Times Host name and country
——————– —– ——————————-
1.232.173.135 2 ; Korea, Republic of (KR)
61.249.236.155 1 ; Korea, Republic of (KR)
69.26.6.109 1 69.26.6.109.westriv.com; United States (US)
79.29.159.85 1 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
79.142.244.242 1 ; Sweden (SE)
82.117.209.179 2 ; Serbia (RS)
93.58.120.188 1 93-58-120-188.ip158.fastwebnet.it; Italy (IT)
153.0.160.97 1 ; China (CN)

Hourly breakdown (blocks per hour)
00 x2
01
02 x1
03 x1
04
05
06
07
08
09
10
11 x1
12 x1
13
14
15
16 x1
17
18 x1
19
20
21 x2
22
23

– 2013-04-30 —

IP address Times Host name and country
——————– —– ——————————-
61.249.236.155 2 ; Korea, Republic of (KR)
79.142.244.242 1 ; Sweden (SE)
83.17.7.34 1 akd34.internetdsl.tpnet.pl; Poland (PL)
118.219.232.216 1 ; Korea, Republic of (KR)
153.0.160.97 2 ; China (CN)
193.95.51.61 1 ; Tunisia (TN)
218.64.204.14 2 ; China (CN)

Hourly breakdown (blocks per hour)
00
01
02 x1
03 x1
04 x1
05
06
07
08 x2
09
10
11
12
13 x1
14 x1
15 x1
16 x1
17
18
19
20
21
22
23 x1

– 2013-05-01 —

IP address Times Host name and country
——————– —– ——————————-
42.96.192.129 1 ; China (CN)
61.156.31.52 1 ; China (CN)
61.249.236.155 1 ; Korea, Republic of (KR)
109.230.223.1 1 mx1.caxetion.com; Germany (DE)
124.115.26.152 1 ; China (CN)
212.248.39.250 2 ; Russian Federation (RU)
218.90.136.14 1 ; China (CN)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05
06
07
08
09
10
11 x2
12 x1
13
14 x1
15
16 x1
17
18 x1
19 x2
20
21
22
23

– 2013-05-02 —

IP address Times Host name and country
——————– —– ——————————-
42.96.192.129 1 ; China (CN)
42.96.197.111 1 ; China (CN)
42.120.18.88 4 ; China (CN)
49.122.23.159 1 ; China (CN)
79.29.159.85 1 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
108.58.246.27 2 ; United States (US)
109.230.223.1 1 mx1.caxetion.com; Germany (DE)
120.146.130.34 1 cpe-120-146-130-34.static.nsw.bigpond.net.au; Australia (AU)
124.115.26.152 2 ; China (CN)
193.192.37.153 1 vpn153-37-192-193.lds.net.ua; Ukraine (UA)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05 x1
06
07
08
09
10
11 x2
12 x2
13 x1
14 x1
15
16 x1
17
18
19 x2
20 x2
21 x1
22
23 x2

– 2013-05-03 —

IP address Times Host name and country
——————– —– ——————————-
42.96.198.177 1 ; China (CN)
79.29.159.85 1 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
108.58.246.27 3 ; United States (US)
124.115.26.152 1 ; China (CN)
125.27.55.217 1 node-b15.pool-125-27.dynamic.totbb.net; Thailand (TH)
153.0.160.97 2 ; China (CN)
164.177.151.65 1 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
193.95.51.61 1 ; Tunisia (TN)
218.62.27.125 1 125.27.62.218.adsl-pool.jlccptt.net.cn; China (CN)
219.143.3.88 1 ; China (CN)

Hourly breakdown (blocks per hour)
00
01 x1
02
03
04
05
06
07
08
09 x1
10
11 x2
12
13 x1
14 x1
15 x2
16 x1
17 x1
18 x1
19
20
21
22 x1
23 x1

– 2013-05-04 —

IP address Times Host name and country
——————– —– ——————————-
0.0.0.0 1 ; N/A (–)
1.214.42.122 5 ; Korea, Republic of (KR)
42.96.196.30 1 ; China (CN)
42.96.198.177 4 ; China (CN)
42.120.18.88 3 ; China (CN)
61.249.236.155 3 ; Korea, Republic of (KR)
78.109.162.101 3 78.109.162.101.srvlist.ukfast.net; United Kingdom (GB)
80.249.133.228 4 ; Russian Federation (RU)
112.220.236.226 4 ; Korea, Republic of (KR)
119.206.205.235 2 ; Korea, Republic of (KR)
121.169.81.138 2 ; Korea, Republic of (KR)
124.115.26.152 1 ; China (CN)
125.27.52.127 6 node-adb.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.27.55.217 1 node-b15.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.129.38.9 1 ; Korea, Republic of (KR)
164.177.151.65 1 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
210.183.26.187 4 ; Korea, Republic of (KR)
220.68.224.45 2 ; Korea, Republic of (KR)
220.189.255.21 3 ; China (CN)

Hourly breakdown (blocks per hour)
00 x3
01
02
03
04
05
06 x1
07 x2
08 x2
09 x2
10 x1
11 x4
12 x2
13 x5
14 x4
15 x4
16 x6
17 x2
18 x6
19 x2
20 x1
21 x3
22 x1
23

– 2013-05-05 —

IP address Times Host name and country
——————– —– ——————————-
0.0.0.0 1 ; N/A (–)
1.214.42.122 2 ; Korea, Republic of (KR)
42.96.192.129 2 ; China (CN)
42.96.199.55 1 ; China (CN)
42.120.18.88 1 ; China (CN)
61.129.79.156 1 ; China (CN)
61.249.236.155 1 ; Korea, Republic of (KR)
78.109.162.101 2 78.109.162.101.srvlist.ukfast.net; United Kingdom (GB)
81.137.240.125 1 host81-137-240-125.in-addr.btopenworld.com; United Kingdom (GB)
111.75.254.213 1 ; China (CN)
112.220.236.226 3 ; Korea, Republic of (KR)
113.233.86.109 1 ; China (CN)
114.66.217.19 1 ; China (CN)
115.137.121.165 2 ; Korea, Republic of (KR)
119.206.205.235 3 ; Korea, Republic of (KR)
121.169.81.138 1 ; Korea, Republic of (KR)
121.177.150.13 2 ; Korea, Republic of (KR)
121.177.150.16 3 ; Korea, Republic of (KR)
125.27.52.127 1 node-adb.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.129.38.9 4 ; Korea, Republic of (KR)
164.177.151.65 1 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
187.45.103.91 1 187-45-103-91.mhnet.com.br; Brazil (BR)
193.95.51.61 1 ; Tunisia (TN)
210.183.26.187 6 ; Korea, Republic of (KR)
211.115.158.2 3 ; Korea, Republic of (KR)
212.248.39.250 1 ; Russian Federation (RU)
220.68.224.45 3 ; Korea, Republic of (KR)
220.189.255.21 1 ; China (CN)

Hourly breakdown (blocks per hour)
00 x2
01
02 x2
03 x3
04
05 x3
06 x3
07 x2
08 x5
09 x1
10 x4
11 x5
12 x2
13 x4
14 x3
15 x1
16
17 x2
18 x2
19 x1
20 x2
21 x4
22
23

Generated 2013-05-06 00:04:14 for machine ****.*****.*** by Syspeace v2.1.0.0

Syspeace for protecting WordPress from brute force attacks?

A lot of the Google searches now are about the ongoing brute force attacks on WordPress installations.

Syspeace does not, at the moment anyway, support WordPress specifically but here’s an idea I just got.

A Google search on WordPress and Active Directory gave a link to a WordPress Active Directory plugin and that gave me an idea.

In all fairness, I haven’t actually tried this out but the idea is that if you’ve intergrated your WordPress with your Active Directoy, an invalid login attempt should render the correct login failure event for Syspeace to find and therefore be able to stop the attack.

As I said, we haven’t tried it since we don’t have a WordPress installation up & running but if anyone’s up for trying the theory, feel free to download the free Syspeace trial and test it.

If you’re up for it, drop us an email and let us know if it worked?

by Juha Jurvanen