Syspeace 2.5.0 released

Syspeace 2.5.0 introduces the new Detector Provider API for developing “detectors” that plug into Syspeace and can listen for login attempts in additional places. For more information, see the Syspeace Detector SDK.

Alongside Syspeace 2.5.0, the Syspeace reseller model has been improved for both customers and resellers.

Syspeace 2.5.0 also includes new functionality to export and import settings to cut down on configuration time and the ability to put Syspeace in a “dry run” mode by temporarily disabling blocking (useful for diagnostics or what-if scenarios).

Syspeace introduces improved reseller model

With the new reseller model, customers are free to buy licenses from the reseller of their choice, or directly from Syspeace. Customers no longer have to pick a reseller at the time of registration and are free to choose a reseller in their own time. Customers can also buy licenses from different resellers at any time or even have licenses from different resellers active simultaneously.

Resellers are also better served. Every reseller gets access to a discounted version of the same price ladder that provides progressively improving rates with volume for every Syspeace customer. New resellers can enroll directly with Syspeace and do not have to partner with a distribution agent.

For the first time, companies that manage or provide IT services to their clients can follow the same model and get the same benefits as resellers.
They may maintain separate client accounts and still get both the reseller rates and the progressively lower rates Syspeace has always offered.

The new reseller model goes into effect immediately. Existing reseller customers can continue using their licenses and may now also buy licenses from any reseller or directly from Syspeace. Customers do not have to update to the latest version of Syspeace.

We welcome our first new resellers, Italian reseller Web4People and UK reseller Hippo IT Management. They are joined by existing resellers JufCorp (serving the Swedish market) and TSYN (serving the Middle Eastern markets). For more information, see the Syspeace Reseller site. More new resellers will be introduced in the coming weeks.

Documents describing how to become a reseller are available on the Syspeace Reseller site.

Would #Syspeace help against #Heartbleed #OpenSSL bug ?

In short, no.

Syspeace monitors failed logins on  #msexchange #WinServ #sharepoint #remotedesktop #Citrix and evaluates if it is a bruteforce attack against the system or not. Syspeace has blocked over 2.6 Million bruteforce attacks against #windowsserver around the world so far.

However, if an attacker has gained access to passwords and usernames he or she will use those and be able to log in. From the systems point of view it is a fully legitimate login thus not awakening #Syspeace.

The nearest days, #sysadmins around the world will be upgrading their systems to the secured OpenSSL but for you as an enduser it is highly recommended to change all of your passwords .
Remember to use strong passwords and never use the same password on different sites.

Here’s a blogpost that might be of use for you to remember complex online passwords.

By Juha Jurvanen @ JufCorp

#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange

Syspeace - intrusion prevention for Windows servers

Syspeace website

Is your VPS used for brute force attacks?

or I could also have called this post “Do you know whom your VPS is hacking today?”

A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS

The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.

What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .

There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.

The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.

In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.

Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.

What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.

You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.

Most Cloud Service Provers could inplement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from /free-download/download-plus-getting-started-with-syspeace/

Your “neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.

By Juha Jurvanen @ JufCorp

#infosec Securing your #WinServ and #MSExchange with an acceptable baseline security

Securing your Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

Syspeace logo

Syspeace logo

Securing Windows Serves with an acceptable baseline security

1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.

2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.

3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.

4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.

5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.

7. Have a good monitoring and inventory system in place such as the free SpiceWorks at http://www.spiceworks.com

8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.

9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.

10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.

11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.

12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have thme read this
http://jufflan.wordpress.com/2012/11/03/remembering-complex-online-passwords/ and on the topic of online passwords and identities also, http://jufflan.wordpress.com/2012/11/03/reflections-on-theft-and-protection-of-online-identity-on-the-internet-who-are-you/

13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/

14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here http://jufflan.wordpress.com/2013/07/15/using-windows-server-backup-20082008-r2-for-a-disaster-recovery-from-a-network-share/

15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/ . I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce prtection for your server in minutes.

If you’re up for it, I’ve written a few other related posts here:

http://jufflan.wordpress.com/2012/10/22/securing-your-server-environment-part-1-physical-environment/
and
http://jufflan.wordpress.com/2012/10/22/securing-server-environments-part-ii-networking/

By Juha Jurvanen @ JufCorp

#Infosec When and where is Syspeace useful for intrusion prevention ?

In what scenarios Syspeace is useful for preventing brute force attacks? Do I need it if I’ve only got a Windows workstation?

Syspeace - intrusion prevention for Windows servers

Syspeace website

Syspeace is an intrusion prevention software mainly targeted for Windows Servers, SBS Server, RDS TS Servers, RDWeb, Sharepoint Servers, SQL Server, Exchange, Sharepoint, Citrix and so on but it will also run on Windows 7 and above for home use.

To have a real use for Syspeace these conditions need to be met

1. You need to have enabled remote access to your server / workstation.

2. You need to have set up some kind of portforwarding in your external firewall to your server / workstation. If you are for instance on a standard broadband connection and you haven’t done anything with the default rules in your boradband modem, your workstation is probably not reachable from the Internet thus making a Syspeace installation quite unecessary and waste of RAM and COPU for you, minimal of course but still. There is no need to have software installed in any computer environment that actually doesn’t do anything for you. It’s a waste of resources.  

3.The same goes for servers although in a server environment you might want to have Syspeace installed to monitor and handle internal brute force attacks since Syspeace works just as efficently whetheter the attack is externla or internal. It will even block a workstation trying to connect to netowrk shares via the command prompt using “net use * \servernamesharename” command. Have a look at his entry for instance http://syspeace.wordpress.com/2013/09/25/syspeace-for-internal-brute-force-protection-on-windows-servers/

4. There could be a scenario where you have for instance your own hosted WorPress Blog that is reachable from the Internet . Please refer to http://syspeace.wordpress.com/2013/04/24/syspeace-for-protecting-wordpress-from-brute-force-attacks/ for an idea on brute force prevention for WordPress Blogs.

5. In server envirenments you might have Syspeace installed not only for intrusion prevention but also to have a good reporting on various user login activity that can be viewed and exported in the Access Reports Section.

6. If you’re using mainly Cloud Services or a managed VPS ,the intrusion prevention should be handled by your Cloud Service Provider . Here’s an older blog post on how to have verify how your provider handles hacking attacks : http://syspeace.wordpress.com/2012/11/19/securing-cloud-services-from-dictionary-attacks-hack-yourself/

There is a fully functional, free 30 day trial for download at /free-download/download-plus-getting-started-with-syspeace/ .
Give it a try and have your Windows Server instantly protected from dictionary attacks and brute force attacks. The installtion is small, quick and very easu to set up. You’re up & running in 5 minutes and there’s no need to chnage your current infrasctructure, invest in specific and usually expensive hardware or hire external consultants.

By Juha Jurvanen @ JufCorp

IIS FTP and FileZilla Server detectors ready for beta testers

The IIS FTP detector and FileZilla Server detectors are the first of our detectors developed and released using our Syspeace Detector Provider APIs. With these detectors installed, Syspeace can react to failed and successful login attempts from the IIS FTP server (for IIS 7.0 and above) and the FileZilla FTP/SFTP Server.

If you have an IIS FTP server or FileZilla Server and are interested in beta testing, contact us.

System requirements for the IIS FTP detector

  • Syspeace 2.5.2
  • IIS 7.0 and higher
  • Logging enabled

System requirements for the FileZilla FTP/SFTP Server detector

  • Syspeace 2.5.2
  • FileZilla Server 0.9.0 or higher
  • Logging enabled

Syspeace 2.4.1 released

Syspeace 2.4.1 fixes an issue where IP addresses can be mixed up (the IP address is taken from another row) in tables in logs in the administrative interface. In addition, the interface for editing the local blacklist and whitelist has been improved to allow selecting and deleting multiple entries.

Syspeace 2.4.0 released

Syspeace 2.4.0 is now available and contains the successor to the “Attack control” panel – the new “Access log” panel – and quick actions like “Add to local blacklist” for IP addresses in many places across the user interface; both very common requests.

This release is an architectural release, paving the way for future features, optimizing many steps in the detection and blocking pipeline as well as minimizing the footprint of the local databases.