Recent improvements in the Syspeace Licenses site

Syspeace consists of more than the Windows software that you download and run to achieve our Syspeace protection. Customers purchase and manage licenses from the Syspeace Licenses site, and we have recently introduced a few changes worthy of a write-up.

  • Show your license key. You can now click a link to show your license key, to easily copy it into your records or into Syspeace’s Welcome window.
  • Show current license use. In the list of licenses, you can now also show which computers currently have a license use right checked out. The list also shows the number of computers currently using the license.
  • Revoke a license use right for a computer. Syspeace gives you the flexibility to switch computers over the lifetime of your license. With the ability to revoke a current license use right for a computer, you no longer have to wait for the license use right for an outgoing computer to expire before a new computer can receive it.
  • Resellers can now create accounts for customers. This is especially helpful for managed resellers that need to plan out big deployments, but is also useful for public resellers. These accounts already are paired to the reseller, so that the reseller can purchase licenses for them immediately.

In addition to this, we have updated the purchase FAQ to contain more frequently asked questions.

As always, we welcome feedback on every part of Syspeace, including the Syspeace Licenses site.

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

#infosec #Syspeace has blocked over 3 Million #bruteforce attacks

Today, we reached a new milestone for Syspeace. We have now blocked, tracked and reported over 3 Million #bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix #SQLserver worldwide!

#infosec #security About using #Syspeace against #DDoS attacks for #sysadmin

Syspeace and DDoS attacks

We had a discussion the other day about Syspeace and if it would help in a DDoS attack.

Essentially a DDoS attack is about overloading a server with massive traffic thus making it unreachable for the services the way it is supposed to be.

This can be accomplished in numerous ways.

If for instance 10 000 computers in a botnet are targeted at downloading a specific image or file from a public website without a login, Syspeace would not be the tool for you. Not at the moment anyway. Syspeace is designed to monitor failed login attempts and handle them by custom rules to protect your Windows servers by completely blocking the attacking address in the local firewall. This will protect your server on all ports soo if you other services running on it, they would also be blocked for the attacker.

DOS/DDoS by using Brute force / dictionary attacks and how Syspeace would react

The two different methods in the brute force/dictioanry attack department would be the following.

Single login attempt method

If the same 10 000 copmuters try to login to your server (an Exchange weblogin, RDS/ Terminal Server, Sharepoint, Citrix and so on ) with a brute force / dictionary attack the server would stop responding due to the overload on CPU/RAM and the network would also be filled.

If each and one of these 10 000 computers only tries once to login , Syspeace wouldn’t react since that would esseantially mean that all logins (or IP addresses essentialy) would be blocked at the first thus disabling anyone to login.

If you’re a hosting provider or outsouring provider and you have a number of customers at static IP addresses you could whitelist the customers IP addresses and set up a Syspeace rule to block at one failed login and in that manner have the attacka partially handled by Syspeace.
However, if you’re a Cloud Service provier this won’t work in reality since your customers could be coming from any IP address anywhere.

Multiple login attempt method

The second method would be to have each and everyone of these 10 000 computers constantly trying to login multiple times and such an attack would be blocked by Syspeace.

Bare in mind though, this would not sort out the network being flooded but it would help you protect your server from crashing due to overloaded CPU/RAM usage and it would buy you time to contact your ISP and see if they can help you mitigate the attack (with specific tools or increasing your bandwidth for instance)

To a certain extent , the Syspeace Global Blacklist would probably also have you preemptively protected against some of the IP addresses attacking you already.

If you don’t have Syspeace at all it’s not unlikely you’ll also be having a lot of user accounts locked out if you you’re trying to use lockout policies. Here’s a previous blogpost on why that is

Future features in Syspeace

One of the things we’ve already released are public APIs for customers with their own applications, webapplications and loginforms so we enable them to use the Syspeace engine to easily handle brute force attacks. For more information on how to implement it on your website or appliaction , please refer to the Syspeace Detector API page

We do have some ideas on how also to have Syspeace help in the first scenario (1 login/computer attack) but we’ll get back to you on that after we’ve implemented quite a few new more features and functions that’s already in our roadmap.

To have your Windows servers protected against malicious login attempts and have it set up in minutes without changing your infrasctructure , please visit the Syspeace download page

By Juha Jurvanen

#infosec Moving #Syspeace licenses between servers

The Syspeace licensing model is a flexible and easy to use model.

The license you used for the free trial is automatically converted into a live a license when you purhase a license. You don’t need to reconfigure.

You decide for youself if you want use Syspeace for a year at a time or for example 2 months and on how many servers you want to divide the number of computerdays.

You can use the same licensenumber on multiple servers and the central licensing server keeps track of licensing for you and you can easily extend you existing license.

If you need to move the license from one server to another, simply start the Syspeace GUI, find the reset license button and reset. Install Syspeace on the new server and you’re good to go.
Another way is to simply stop the Syspeace service on the old server and install on the new server, using the same licensenumber.

All updates and new, generic detectors are free to download for valid licensesowners and trialusers.

If you’re hosting servers or have many servers the easiest approach is probably to have one Syspeace account and use the same license for all servers but if you’re managing multiple external servers you’d probably want to have a separate Syspeace account for each customer for instance ACME @ YourCompany.
This way you’ll easily keep track of the administrative part with your invoicing.

By Juha Jurvanen @ JufCorp

Using Syspeace also for internal protection and access reporting.

Using Syspeace for internal server protection

Most Syspeace users have the software in place to protect them from mainly from external threats from the Internet such as hacking attempts via bruteforce attacks and dictionary attacks.

Quite often, the internal netowrk ranges are excluded in the local whitelist by sysadmins , thus never blocking anything from those IP addresses or network ranges.

Some of our customers though have also discovered Syspeace to be an excellent tool to keep track of failed internal logins and those might actualy be important to keep track of.

If you’re not keeping track of internal failed login attempts, it might be hard to spot for instance a virus/trojan infected PC on your network that tries to login to every PC and server that is available or if a user is trying to access servers or assets they’re not supposed to. With Syspeace, the attack is automatically blocked, reported and and the sysadmin is alerted that something’s going on.

There can be downsides to not excluding internal IP ranges since there is a risk of for instance blocking a server from communicating with another but if you’re vigilant and think these things through, it’s mostly an administrative task to remember that yov’ve got Syspeace when you’ve changeed an administrators password or whatever.

Creating reports on user logins

Another great feature of Syspeace is the reporting section that enables for sysadmins to create reports and staistics about user logins such as when, from where and even hof often from that locationc they’ve actually been logged in.

For instance, if a user claims to have been working from home in July, it’s quite easy for a sysadmin to actually verify this using the Access Reports section to create .csv files with statistics.
Now, if the IP address for instance originates from Spain and your company is located only in Sweden…

If you’re using a Windows Server-based Cloud Service for instance, it might be difficult for you to get hold of such information, even if you ask for it.

Howerver, if your cloud Service provider is running Syspeace to protect you and other customers it’s a walk in the park for the provider to get you that infomation if you need it for some reason.

Syspeace stores failed and successful login in a local database so even the Windows securiy eventlog is cleared , the information can still be obtained by Syspeace.

Download a free, fully functional trial at / and have your Windows, Citrix, RDS, Sharepoint, Exchange, OWA, RDWEB, SQL servers and more instantly protected from hacking attempts.

By Juha Jurvanen

Syspeace logo

Syspeace – Intrusion prevention for Windows Servers

Syspeace now also available on Cnet downloads

Now we’ve also decided to have more download places for Syspeace users.

We’re actually also playing around with the idea of creating a .torrent and submit it to Pirate Bay.

Here’s the Cnet link anyways.

Syspeace on CNET
http://download.cnet.com/Syspeace/3000-2653_4-75903329.html?tag=mncol;1

Please keep in mind that the latest version is always available on Syspeace official website download page

Closing in on 1 Million blocked brute force and dictionary attacks on Windows Servers world wide

Just a quick post about the numbers so far really.

Last night , Syspeace had blocked 962 553 brute force and dictionary attacks on Windows 2003 / 2008 / SBS server / RDS servers / Citrix WorldWide.

As a prediction , we will reach over 1 Million later on this week or early next week. We think that’s pretty cool. Considering Syspeace has been publically available only since July 15th 2012..

New version coming up

Other news regarding Syspeace is that we’re beta testing the new release now that will support Windows Server 2012, SQL Server and also have a completely new reporting, sorting and exporting feature called Access Reports.

The new Access Reports feature lets you create reports on failed and succesful logins on your Windows Servers and export them to .CSV reports. The information is saved in the local database so even if the Windows Security Log is cleared, the information is still available for use in for instance forensics and other tasks.

For a free trial download of the brute force and dictionaray attack preventon software Syspeace, please refer to the Syspeace Download page.