#infosec Do bruteforce attacks really exist ?

The other day I sat down and just looked at various statistics on how the visitors ended up here in terms of referrers and keyword searches and one of the terms was “do bruteforce attacks really exist ?”.

This made me smile.

Syspeace has so far blocked over 2.77 Million bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix and #SQLServer worldwide so I dare say they really do exist and they’re very common.

We’ve also published a 30 day list of the most commonly attacked and attacking countries as reported by Syspeace installations around the world. It might be interesting read for you and it can be found here, Syspeace worldwide security staus center.

One of the features of Syspeace is for instance the Syspeace Global Blacklist that is distributed automatically to all Syspeace installations.
If an attacker has been deemed to have attacked X number of different Syspeace customers and Y number of times, it will be automatically put in the GBL and distributed to all other Syspeace installations, making them preemtively blocking the attacking IP address from ANY communicating with their servers that have Syspeace installed.

Any #Cloud service provider or any #outsourcing or #service provider or also any IT techs at a company knows there are hundreds and thousands of intrusion attacks every month but historically these attacks, also called dictionar attacks , have been very hard to deal with so in essence, they’ve given up. Some providers or companies actually don’t even bother turning on logging on the servers, simply turning a blind eye to the actual problem. From an operational point of view, security point of view and from the customers point of view this is of course not acceptable.

There are some previous posts on why it’s been so difficult on this blog for instance this one, Why firewalls, vpns, account lockout policies  and other bruteforce prevention methods aren’t enough.

After we launched Syspeace , service providers, Cloud providers and companies have been given a new, cost efficient, easy to set up and easy to use countermeasure against hacking attempts.

No need to change your infrastructure, hire costly consultants and launch a big, costly project.
Simply download Syspeace trial , install it in a minute and your #remotedesktop #msexhange #Sharepoint #windowsserver is protected.
It couldn’t be easier and frankly, it should be the part of any #Windowsserver Baseline security just as you’ve got antivirus, backups, patch management in place.

Enable logging on your Windows server as described in the Syspeace manual and see for yourself if you’re targeted. You might be surprised.

By Juha Jurvanen – Senior IT Consultant @ JufCorp

image

Syspeace - intrusion prevention for Windows servers

Would #Syspeace help against #Heartbleed #OpenSSL bug ?

In short, no.

Syspeace monitors failed logins on  #msexchange #WinServ #sharepoint #remotedesktop #Citrix and evaluates if it is a bruteforce attack against the system or not. Syspeace has blocked over 2.6 Million bruteforce attacks against #windowsserver around the world so far.

However, if an attacker has gained access to passwords and usernames he or she will use those and be able to log in. From the systems point of view it is a fully legitimate login thus not awakening #Syspeace.

The nearest days, #sysadmins around the world will be upgrading their systems to the secured OpenSSL but for you as an enduser it is highly recommended to change all of your passwords .
Remember to use strong passwords and never use the same password on different sites.

Here’s a blogpost that might be of use for you to remember complex online passwords.

By Juha Jurvanen @ JufCorp

How to setup syspeace for rdp – intrusion prevention for Windows servers

This is actually just a post based on some of the search terms that have led to people finding this blog.

So,

how to setup syspeace for rdp

..
Actually , it might take you longer to read this blogentry than actualy set it up.

1. Go to the Syspeace website and download the software at /downloads.aspx

2. Read the requiremnets in the manual:

System requirements
Operating system: Windows 7, Windows Server 2003, Windows Server 2008/2008 R2 (32 or 64 bit), Windows Small Business Server SBS 2008 and so on . (We are currently working on the Windows Server 2012 validation and we have tested it successfully but in certain scenarios the source IP address isn’t displayed in the evenlog. This is a Windows Server issue)
.Net 4 (if not installed, it wil be installed for you )
1GB free disk, minimum 500M RAM.
Auditing
Auditing for failed login and successful log in switched on in local security policy or in the group policy for the domain. This will enable events in the event-log that Syspeace listens for.
Firewall
The built-in firewall in Windows must be up and running.

3. Install Syspeace which is quite straight forward

4. Start the GUI and type in a valid mailaddress to get your 30 day free trial license key emailed to you. This emai address is also going to be the account emai you need tp use when purchasing the license.

4. Paste the license number and the GUI will start.

5. By default, the Syspace service is NOT started.

6. Cllick teh Settings button and review the default rules (called the “Catcha all” rule” and alse set up messaging for blocked attacks (whom to alert, whom to emai license inforamtkion and so on )

7. Close the Settings section. Click the “START” butto and you’re done.

Now, your Windows server is instantly protected from brute force and dictionary attacks against youe Exchange Webmail OWA, Terminal Servers on RDP (terminal services, remote desktop services, remote app sessions) and the webinterface called RDWEB, your Sharepoint login , your Citrix server, winlogon services and even more.

There’s really not that much more to it.
Since the intrusion prevention for Syspeace monitor the Windows Server Evnetlog , it doens’t matter if you have set up RDP on other ports or if you are using a proxy. Sysoeace is a HIDS (Host Instrusion Protection System) thus eliminating the need for separate hardware, expensive consulans and redesigning you infrastructure.

Just sit back and start recieving resports and emails when an attack is blocked, tracked and reported.

Protecting your customers from brute force attacks in Cloud services or in an outsourcing company

 About brute force protection and Cloud Security and VPS (Virtual Private Servers) and outsourcing or hosted environments

Thoughts on cloud security by Juha Jurvanen @ JufCorp

If you are a Cloud Service provider or an outsourcing company and giving your customers access to various Windows services such as file access, Exchange, Exchange OWA,  Sharepoint, Citrix, RemoteApp and Terminal Server services or even VPS (Virtual Private Servers) , there are things you may want to consider.

Cloud security is often debated and it should be. There are pros and cons to each technical solution. Your customers rely on you to have your services reachable, virtually 24/7 and initially, they’ll be happy when that works.

Nowadays though , Cloud Computing has grown to be more accepted and with it a few questions are coming to life.

Your customers will eventually start asking you how you actually deal with various brute force attacks and dictionary attacks to protect their data. You will also , sooner or later, be faced with questions of reporting of these attacks and to be able to gather various reports of when and from where a specific user was logged in,

Remember that you customers have moved from an inhouse hosted environment where they had the ability to gather this intel themselves and they will be expecting to be able to get it from you. They also had the ability to use Syspeace to protect them but once they’ve shifted to your services, they have absolutely no idea of what security mechanisms you have in place for them and these questions will start to come around.

Historically, it’s been very difficult to handle these situations (feel free to read earlier post on this blog to see what I’m getting at for instance  http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/ and http://syspeace.wordpress.com/2012/10/16/various-brute-force-prevention-methods-for-windows-servers-pros-and-cons/ ) so many sysadmins have just more or less given up but when we’re moving to Cloud Services and Cloud Computing, people will expect that also these matters should be sorted. The issue is “why should we move our data to something we can’t even control or know how the security is set up or verify it easily ? ”

Sooner or later, the end users and customers will start testing how your response really is and verify if there are any mechanisms in place (sometimes out of curiosity and sometimes due to internal processes and audits).

Is their attacked account locked out ? For how long ? Is the attacking IP locked out ? Can you as a Cloud Service provider contact the user and let them know that someone tried to user their account from an IP address in China , although you know the customer has no business in China? Do you alert you customers about it ?

No, probably not and it’s easy to understand why.

Because all of this has required  a lot manual work so most service providers and outsourcing companies just don’t want to deal with the problem and tend to not talk about the actual problem, being basically, they have no idea on important stuff such as from where a login attempt was made, what username was used and how was it handled? Was it successful or a failed attempt and how many times did the attacker actually try ?

If you are a Cloud Computing Service provider I highly suggest you have a look at Syspeace to enable you to add this service for your customers and protect access to your Cloud services preemptively and actually have these things handled automatically, without increasing your workload but still tightening your security and to a very low cost.

If you’re a VPS provider, consider for instance having the Syspeace software pre installed in your images and let your customers know it’s there so they themselves can decide whether to use it or not. It’s not an extra cost for you but it does show your customers that you’re actually thinking about their security and that you’re thinking ahead.

So far, Syspeace has actually saved 4.3 M US$ in only a few months in costs for the manual workload associated with brute force attacks and dictionary attacks.

I believe that the service providers that start thinking about these things and take them seriously will have an advantage to those who don’t and quite a few will take having a system such as Syspeace in place for granted, as you would with antivirus.

Have a look at the Syspeace website and see for yourself how quickly and easily you can implement a brute force prevention system without the usual costs of appliances or costly consultants.

Syspeace saves time and money blocking brute force attempts. So far we’ve saved 4 292 968 US$

This is just a geeky, cost calculating experiment really. Nothing scientific or anything. Just a fun thought on how easy it is to calculate the ROI for the low cost of Syspeace licenses.

Yesterday evening we had a really interesting meeting with a future reseller so we thought we’d take a look at the actual numbers of blocked attacks.
Syspeace had blocked over +314 000 brute force attempts on Windows servers worldwide.

This morning I started thinking.

If each attack takes 15 minutes to manage manually with these steps
1. Find the IP address of the attacker in the event viewer, then block the attack (in the internal or external firewall)
2 Trace the origin (using traceroute, nslookup and whois) and log it somwhere
3. Decide if it’s worth following up and making ot a police matter

That would mean we’ve saved 314 000 * 15 minutes = 78 500 man hours of manual work around the world.

The US$ is about 6.8 Swedish Cronas today.

If each tech has a salary of 35 000 (approx. 5100 US$) per month (an average tekkie salary in Sweden)  the average hourly salary is 218 Swedish Krona (32 US$) .

For the employer , that number is about the salary time 1,7 (due to taxes and stuff ) so that would basically amount up to 371 Swedish Krona as a cost for the employer.

What we saved in manual labor with Syspeace would be 78 500 * 371 = 29 192 187 Swedish Cronas (or 4 292 968 US$) in actual cost savings bot most of all, we’ve made the life of the sysadmin easier and he can focus on other stuff than managing brute force attempts and let Syspeace do the work.

A lot of IT projects could do with an extra 78 500 man hours..

If you’re up for cutting costs and increasing security at the same time, have a look at the free trial download at the Syspeace website

A thought by Juha Jurvanen @ JufCorp
 

 

About Syspeace and it’s background

By Juha Jurvanen
Senior IT consultant in backup, IT security, server operations and cloud

Juha Jurvanen, Product Manager @ Syspeace CTO and Cloud Arctitect @ Red Cloud iT Independent consultant in backup, server operations, security and cloud @ JufCorp

Pic of Juha Jurvanen, Product Manager of Syspeace

The goal with Syspeace is to simplify security management and prevent brute force hacking, primarily in Microsoft Windows Server environments and is targeted at system administrators that manage servers, either ther own ones or for external customers or even in data centers such as cloud service providers.
Syspeace automates intrusion attempts, brute force attempts,  (eventid 4625) on Microsoft Exchange servers (including the OWA interface and protecting the receive connectors) , Microsoft Terminal Servers and basically any Windows server that uses Windows Authentication such as Sharepoint, Exchange, Terminal Server, Citrix, SQL Server and so on.Around the clock. .

Background and history
The background of the product is that within the Swedish-based cloud service, rCloud Office , from Red Cloud IT where I was the Cloud Architect and CTO , the realization of how many excessive login attempts generating eventid 4625 (failed login , unknown username or password ) from all around the world there really was and that this needed to be automated in aspects of the  administration of it and to tighten security since no brute force prevention is built into Windows. I also quickly realized that none of the other Cloud Service providers has any of this in place and this scared me.

A single attack could render in 5000-6000 login attempts and go on for 2-3 hours. This was a waste of bandwidth, server RAM and CPU since each login-attempt had to be validated and there was always the fear of someone actually succeeding to login or that a user account could be blocked out deliberately just to cause a DOS for the services.

For each brute force attempt most labour was manual and time consuming 

  • First, the log files had to be checked in Windows Server eventlog.
  • Second , the attack had to be manually blocked the incoming IP adress in the firewall.
  • As a third step attacker had to be traced with TRACERT and NSLOOKUP and WHOIS to determine from where it originated and decide when it would be suitable to handle it as a police matter or not.

At night, no one actually could handle an attack so it would be managed the next day which left us vulnerable during off-hours.

Of course this manual labour took quite some time the realization came quickly that it would become an absolute nightmare in the end if something wasn’t done. All customer expect these countermeasures to in place.

The need for something to automatically block the intrusion attempt, notify us the IP address and from where the attack was made popped up

I started searching the Internet for a cost effective, easily administered with  graphical interface and  yet effective solution.

There were a few simple script solutions out there but unfortunately, none of them really matched what was to be accomplished  i.e. block the intrusion attempt based on rules, track down the attacker geographically and unblocking the IP automatically and reporting the attack.

It had to have the ability to easily manage WHITE LISTS, preemptive BLACK LIST,  handle SMTP AUTH attacks and quite a few other features as well that just couldn’t be accomplished with scripts. It had to be easy to use with a graphical management interface to keep the administration and the learning process to a minimum and the autoblocker had to run as an integrated Windows service for optimal performance.

The idea and concepts takes shape

I came up the idea and a concept on how to get the job done, wrote down a few technical ideas and specs, wrote some proof of concepts  and thought about the idea and how to actually accomplish it and came across the guys of the Syspeace develepment team at Treetop and work began. Since I’m not a developer myself, I thought I’d leave the hardcore development to people who actually know what they’re doing.
I’m the guy with concepts and ideas but when it comes to actually writing code.. well.. I’m not a first hand choice. I’ve got a few a more ideas up my sleeve but let me get back to you on that 🙂

After the first alpha test we also realized quickly we needed to add some more intelligence to it as,  for instance, if an IP fails to log in x number of times during x amount of time and then succeeds, the system shouldn’t remember it as a possible attacker and be blocked further down the road for a failed attempt. People are still human and sometimes people type in the wrong password. A lot of work has beent put into the intelligence “under the hood” of Syspeace.

We also realized that the software works just as well protection your servers from LAN connections, giving you a better understanding of what really goes on woith your users and if someone on your LAN is trying to access resources they’re not supposed to or if someone has been infected with some kind of brute force – virus.

Syspeace today

Today, we get an email stating from where the attack originated (the DNS name if found, the IP address and from which country the attack originated). We’ve got reporting, separated mail notifications depending on events and we’re adding more and more features all the time.

We also get username that was tried which is extremely helpful since we immediately can see if it is just “background noise attack” or if it is targeted specifically  or even worse, a competitor tries to login to the central systems without explicit permission or an ex-employee/ex-customer  is trying to access an account that they no longer are authorized to.

See for yourself and download a free trial

Have a look at the Syspeace website to see what we came up with and download a free trial for yourself.

So far Syspeace has successfully blocked over 2,5 Million  brute force attacks worldwide and I dare say it has decreased the workload for quite a few system administrators out there.
Syspeace supports Windows Servers 2003 – 2012 R2.

Juha Jurvanen

Senior IT consultant in backup, IT security, server operations and cloud

Syspeace - brute force protection for Windows servers

Syspeace – brute force protection for Windows servers