#infosec Syspeace support for #FTP on #IIS and #Filezilla in beta

This is just a short newsflash that the Syspeace devteam has been working on adding detectors for #Microsoft #IIS FTP server and for #Filezilla FTP server.

Using the Syspeace engine to prevent bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix has proven to be highly efficient and the need for more detectors grows steadily the more users we get.

We’ve blocked,tracked and reported over 3 Million #bruteforce and #dictionary attacks against Windows Servers worldwide so far.

We have a constant dialogue with Syspeace users over mail or Uservoice to see what new detectors our users need and one of the most frequently asked for is FTP support.

If you have ideas for new features or detectors, please join us at Uservoice or drop us an email.

We’ve already publically released the Syspeace API to enable you to write your own webapplication detectors and have Syspeace handle bruteforce attacks for you.
For more information on how to do this, please refer to the Syspeace Detector API page .

Would #Syspeace help against #Heartbleed #OpenSSL bug ?

In short, no.

Syspeace monitors failed logins on  #msexchange #WinServ #sharepoint #remotedesktop #Citrix and evaluates if it is a bruteforce attack against the system or not. Syspeace has blocked over 2.6 Million bruteforce attacks against #windowsserver around the world so far.

However, if an attacker has gained access to passwords and usernames he or she will use those and be able to log in. From the systems point of view it is a fully legitimate login thus not awakening #Syspeace.

The nearest days, #sysadmins around the world will be upgrading their systems to the secured OpenSSL but for you as an enduser it is highly recommended to change all of your passwords .
Remember to use strong passwords and never use the same password on different sites.

Here’s a blogpost that might be of use for you to remember complex online passwords.

By Juha Jurvanen @ JufCorp

#infosec Securing your #WinServ and #MSExchange with an acceptable baseline security

Securing your Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

Syspeace logo

Syspeace logo

Securing Windows Serves with an acceptable baseline security

1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.

2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.

3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.

4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.

5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.

7. Have a good monitoring and inventory system in place such as the free SpiceWorks at http://www.spiceworks.com

8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.

9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.

10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.

11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.

12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have thme read this
http://jufflan.wordpress.com/2012/11/03/remembering-complex-online-passwords/ and on the topic of online passwords and identities also, http://jufflan.wordpress.com/2012/11/03/reflections-on-theft-and-protection-of-online-identity-on-the-internet-who-are-you/

13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/

14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here http://jufflan.wordpress.com/2013/07/15/using-windows-server-backup-20082008-r2-for-a-disaster-recovery-from-a-network-share/

15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/ . I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce prtection for your server in minutes.

If you’re up for it, I’ve written a few other related posts here:

http://jufflan.wordpress.com/2012/10/22/securing-your-server-environment-part-1-physical-environment/
and
http://jufflan.wordpress.com/2012/10/22/securing-server-environments-part-ii-networking/

By Juha Jurvanen @ JufCorp

Syspeace for internal brute force protection on Windows Servers

After installing Syspeace , the tech guys started getting notifications that their Exchange Server was trying to login to another server and it was rejected. There was no reason for this server to do so whatsoever and it had not been noticed earlier so it’s hard to say when it actually started.

After disabling the whitelist for the LAN at the customer site they started getting mail notifications that every workstation on their LAN was actually trying to login to various servers using various usernames and password, hence a brute force attack/dictionary attack from the inside.

Most likely a trojan has been planted somewhere and it has infected the rest.

This is a fairly simple example of how Syspeace can actually reveal a security breach a customer wasn’t even aware of had occured.

It is totally up to any customer to use whitelists for the LAN but as a precaution, I personnally wouldn’t recommend it since it acutally gives you a great heads up that something has happened if a computer or multiple computers suddenly starts to try and login to servers they’re not supposed to.

As a system administrator, you get the chance to get attack automatically blocked, logged, traced and reported and you can have a closer at the computer responsible for the attack or have a word the user to see what’s going on.

You can even create extensive reports on all activity originating from that user or computer using the Access Reports section in Syspeace to get a more clear view on how long it’s been trying and so on.

Since Syspeace automatically protects failed logins using Winlogon authentication, your Windows servers are also protected from computers/users trying to use the “net use” or “map network drive” with invalid logon credentials trying to acces shares they’re not supposed to.

If you don’t have processes in place for scanning logs, saving them and monitoring every login activity, it will become grusome task to even know if there’s something going on at all. You simply won’t have the tools to do so.

Have your own servers run the fully functional Syspeace free trial and see if you get any unexpected login failures from the internal network and from Internet.
You might be surprised.

By Juha Jurvanen

Syspeace 2.1.0 with SQL Server, Server 2012 support and more

Syspeace (@Syspeace) tweetade kl. 9:32 EM on tors, apr 18, 2013:
New version, 2.1.0, released today! Support for #SQLserver, #WinServ 2012 and all new Access Reports

Get the new version or free trial at
/downloads.aspx

Preventing and blocking brute force and dictionary attacks in a Windows Server environment with Syspeace

Syspeace is an automated brute force prevention / dictionary attack software that protects Microsoft Windows Servers by monitoring the Windows Authentication mechanisms for unsuccessful logins.

 

This means that you get immediate protection for Microsoft Terminal Server, Citrix, Exchange OWA Webmail , SharePoint, CRM, Terminal Server RDWeb and more, for instance there is also built in protection for Exchange connectors.

Each attack is automatically blocked, tracked and reported and as a system administrator you set up your own rules on when to block and for how long.

Syspeace is easy to install and you’re up & running and protected within minutes of the download. No need for changing your infrastructure, buy costly new appliances or hire specialized consultants.

The Global Blacklist that is shared among all Syspeace installation around the world gives you preemptive protectionfrom well known hackers and ddos attackers, blocking them even before an attack can be initiated.

Syspeace also contain reporting capabilities, giving you the ability to check for failed and successful logins for your servers and separated mail notifcations based on events.

The Syspeace licensing model is very flexible and and targeted to be easily affordable for any company, whether you’re n the SMB segment, a large enterprise or even a large Cloud Service Provider or an outsourcing company.

One of the goals for Syspeace is to become a natural part of every servers installed security mechanisms as part of the baseline security and an important piece of that security work is

Windows 2003 version of Syspeace is underway to also provide brute force and dictiionary atacks prevention for older servers

Try for yourself and see how easy it is

/

Other IT Security aspects

If you’re interested in various aspects of server security questions you might want to check out  http://syspeace.wordpress.com and this blog where there’s quite a few articles on why and how Syspeace can help you with your everyday battle of brute force and dictionary attacks but also a few other guidelines for IT security.

Protecting your customers from brute force attacks in Cloud services or in an outsourcing company

 About brute force protection and Cloud Security and VPS (Virtual Private Servers) and outsourcing or hosted environments

Thoughts on cloud security by Juha Jurvanen @ JufCorp

If you are a Cloud Service provider or an outsourcing company and giving your customers access to various Windows services such as file access, Exchange, Exchange OWA,  Sharepoint, Citrix, RemoteApp and Terminal Server services or even VPS (Virtual Private Servers) , there are things you may want to consider.

Cloud security is often debated and it should be. There are pros and cons to each technical solution. Your customers rely on you to have your services reachable, virtually 24/7 and initially, they’ll be happy when that works.

Nowadays though , Cloud Computing has grown to be more accepted and with it a few questions are coming to life.

Your customers will eventually start asking you how you actually deal with various brute force attacks and dictionary attacks to protect their data. You will also , sooner or later, be faced with questions of reporting of these attacks and to be able to gather various reports of when and from where a specific user was logged in,

Remember that you customers have moved from an inhouse hosted environment where they had the ability to gather this intel themselves and they will be expecting to be able to get it from you. They also had the ability to use Syspeace to protect them but once they’ve shifted to your services, they have absolutely no idea of what security mechanisms you have in place for them and these questions will start to come around.

Historically, it’s been very difficult to handle these situations (feel free to read earlier post on this blog to see what I’m getting at for instance  http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/ and http://syspeace.wordpress.com/2012/10/16/various-brute-force-prevention-methods-for-windows-servers-pros-and-cons/ ) so many sysadmins have just more or less given up but when we’re moving to Cloud Services and Cloud Computing, people will expect that also these matters should be sorted. The issue is “why should we move our data to something we can’t even control or know how the security is set up or verify it easily ? ”

Sooner or later, the end users and customers will start testing how your response really is and verify if there are any mechanisms in place (sometimes out of curiosity and sometimes due to internal processes and audits).

Is their attacked account locked out ? For how long ? Is the attacking IP locked out ? Can you as a Cloud Service provider contact the user and let them know that someone tried to user their account from an IP address in China , although you know the customer has no business in China? Do you alert you customers about it ?

No, probably not and it’s easy to understand why.

Because all of this has required  a lot manual work so most service providers and outsourcing companies just don’t want to deal with the problem and tend to not talk about the actual problem, being basically, they have no idea on important stuff such as from where a login attempt was made, what username was used and how was it handled? Was it successful or a failed attempt and how many times did the attacker actually try ?

If you are a Cloud Computing Service provider I highly suggest you have a look at Syspeace to enable you to add this service for your customers and protect access to your Cloud services preemptively and actually have these things handled automatically, without increasing your workload but still tightening your security and to a very low cost.

If you’re a VPS provider, consider for instance having the Syspeace software pre installed in your images and let your customers know it’s there so they themselves can decide whether to use it or not. It’s not an extra cost for you but it does show your customers that you’re actually thinking about their security and that you’re thinking ahead.

So far, Syspeace has actually saved 4.3 M US$ in only a few months in costs for the manual workload associated with brute force attacks and dictionary attacks.

I believe that the service providers that start thinking about these things and take them seriously will have an advantage to those who don’t and quite a few will take having a system such as Syspeace in place for granted, as you would with antivirus.

Have a look at the Syspeace website and see for yourself how quickly and easily you can implement a brute force prevention system without the usual costs of appliances or costly consultants.

About Syspeace and it’s background

By Juha Jurvanen
Senior IT consultant in backup, IT security, server operations and cloud

Juha Jurvanen, Product Manager @ Syspeace CTO and Cloud Arctitect @ Red Cloud iT Independent consultant in backup, server operations, security and cloud @ JufCorp

Pic of Juha Jurvanen, Product Manager of Syspeace

The goal with Syspeace is to simplify security management and prevent brute force hacking, primarily in Microsoft Windows Server environments and is targeted at system administrators that manage servers, either ther own ones or for external customers or even in data centers such as cloud service providers.
Syspeace automates intrusion attempts, brute force attempts,  (eventid 4625) on Microsoft Exchange servers (including the OWA interface and protecting the receive connectors) , Microsoft Terminal Servers and basically any Windows server that uses Windows Authentication such as Sharepoint, Exchange, Terminal Server, Citrix, SQL Server and so on.Around the clock. .

Background and history
The background of the product is that within the Swedish-based cloud service, rCloud Office , from Red Cloud IT where I was the Cloud Architect and CTO , the realization of how many excessive login attempts generating eventid 4625 (failed login , unknown username or password ) from all around the world there really was and that this needed to be automated in aspects of the  administration of it and to tighten security since no brute force prevention is built into Windows. I also quickly realized that none of the other Cloud Service providers has any of this in place and this scared me.

A single attack could render in 5000-6000 login attempts and go on for 2-3 hours. This was a waste of bandwidth, server RAM and CPU since each login-attempt had to be validated and there was always the fear of someone actually succeeding to login or that a user account could be blocked out deliberately just to cause a DOS for the services.

For each brute force attempt most labour was manual and time consuming 

  • First, the log files had to be checked in Windows Server eventlog.
  • Second , the attack had to be manually blocked the incoming IP adress in the firewall.
  • As a third step attacker had to be traced with TRACERT and NSLOOKUP and WHOIS to determine from where it originated and decide when it would be suitable to handle it as a police matter or not.

At night, no one actually could handle an attack so it would be managed the next day which left us vulnerable during off-hours.

Of course this manual labour took quite some time the realization came quickly that it would become an absolute nightmare in the end if something wasn’t done. All customer expect these countermeasures to in place.

The need for something to automatically block the intrusion attempt, notify us the IP address and from where the attack was made popped up

I started searching the Internet for a cost effective, easily administered with  graphical interface and  yet effective solution.

There were a few simple script solutions out there but unfortunately, none of them really matched what was to be accomplished  i.e. block the intrusion attempt based on rules, track down the attacker geographically and unblocking the IP automatically and reporting the attack.

It had to have the ability to easily manage WHITE LISTS, preemptive BLACK LIST,  handle SMTP AUTH attacks and quite a few other features as well that just couldn’t be accomplished with scripts. It had to be easy to use with a graphical management interface to keep the administration and the learning process to a minimum and the autoblocker had to run as an integrated Windows service for optimal performance.

The idea and concepts takes shape

I came up the idea and a concept on how to get the job done, wrote down a few technical ideas and specs, wrote some proof of concepts  and thought about the idea and how to actually accomplish it and came across the guys of the Syspeace develepment team at Treetop and work began. Since I’m not a developer myself, I thought I’d leave the hardcore development to people who actually know what they’re doing.
I’m the guy with concepts and ideas but when it comes to actually writing code.. well.. I’m not a first hand choice. I’ve got a few a more ideas up my sleeve but let me get back to you on that 🙂

After the first alpha test we also realized quickly we needed to add some more intelligence to it as,  for instance, if an IP fails to log in x number of times during x amount of time and then succeeds, the system shouldn’t remember it as a possible attacker and be blocked further down the road for a failed attempt. People are still human and sometimes people type in the wrong password. A lot of work has beent put into the intelligence “under the hood” of Syspeace.

We also realized that the software works just as well protection your servers from LAN connections, giving you a better understanding of what really goes on woith your users and if someone on your LAN is trying to access resources they’re not supposed to or if someone has been infected with some kind of brute force – virus.

Syspeace today

Today, we get an email stating from where the attack originated (the DNS name if found, the IP address and from which country the attack originated). We’ve got reporting, separated mail notifications depending on events and we’re adding more and more features all the time.

We also get username that was tried which is extremely helpful since we immediately can see if it is just “background noise attack” or if it is targeted specifically  or even worse, a competitor tries to login to the central systems without explicit permission or an ex-employee/ex-customer  is trying to access an account that they no longer are authorized to.

See for yourself and download a free trial

Have a look at the Syspeace website to see what we came up with and download a free trial for yourself.

So far Syspeace has successfully blocked over 2,5 Million  brute force attacks worldwide and I dare say it has decreased the workload for quite a few system administrators out there.
Syspeace supports Windows Servers 2003 – 2012 R2.

Juha Jurvanen

Senior IT consultant in backup, IT security, server operations and cloud

Syspeace - brute force protection for Windows servers

Syspeace – brute force protection for Windows servers