Posts

Troubleshooting Syspeace

An interesting support case came to our attention recently.

A customer claimed that Syspeace wouldn’t block according to the rules.

The bruteforce attacks would continue , even after they should have been blocked.

We checked the ususal culprits (verify that the .Net is fully patched, that the customer is running the latest Syspeace version, verify that logging is enabled and that the firewall is turned on )

The rules were added as expected in the firewall but they didn’t have any effect.

After a lot of troubleshooting the root-cause was found.

The customers server did indeed have the firewall enabled but only in one of the firewall profiles (public, private, domain) and unfortuantely, the network used was not the one the firewall was enabled for, hence, nothing was blocked as expected. The rules were added but did not take effect in the expected amount of time

So, as a general troubleshooting tip , check how your firewall is enabled and verify that it indeed is the correct network profile in there, or, enable the firewall for all three profiles.

The usual troubleshooting tips we give are described in the manual in the troubleshooting section

1. Make sure you’ve enabled the firewall (as described in Firewall), firewall enabled, prefferably on all profiles.

2. Make sure you’ve enabled the auditing (as described in Windows login detection prerequisites).

3. Verify that the server can reach https://s.syspeace.com/ping . (You should see a message saying Hello from Stockholm. and the local time of the server and recommended Syspeace version)

4. In some instances, when running Terminal Server or Remote Desktop Services there’s actually the scenario where the Windows server itself fails to obtain the source IP address of the login attempt (you can verify this by checking the Windows event log and look for Source Network Address: ) Sometimes, that entry is empty, thus disabling Syspeace from actually having anything to block. Syspeace will attempt to corroborate the IP address from some other logs. If it doesn’t find any, there is not much that Syspeace can do. (Update: starting with Syspeace 2.7, these attempts can be detected too.)

5. In any applicable firewall or antivirus software, allow Syspeace access to https://s.syspeace.com/ (port 443).

6. Verify any proxy settings, if applicable.

7. Some methods of Windows authentication actually attempts to log in several times. Two failures may be part of one log in attempt. Syspeace has no way of knowing how many attempts were intended and has to work with the actual failures. Due to counting failures instead of attempts, rules may be triggered seemingly ahead of time.

8. One way of quickly verifying functionality is to use a workstation (not whitelisted) and attack your server with the net use command from the command prompt. After the number of tries defined in the current rules, the workstation should be blocked from communicating with the server. Example of the command: net use * \server name or server IP addressanyshare /user:syspeacetester “anypassword”

9. If you want to submit logs to us, start Syspeace, go to Management → System settings, enable logging and start the service. The log file is created in a subfolder of the Syspeace installation folder.

10. When submitting logs,
Please create a .zip file of the logfiles, include any relevant information from Windows Eventlogs (application, system and security and when applicapble, the Syspeace eventlog ) and also create a .Zip-file of the database and email them directly to the devteam . The email address can be found in the manual

11. If your server doesn’t pick up the source IP address in your eventlog , please have a look a this blog article

12. If your database has grown above the size limit of 4 GB, in the current version ( 2.5.2) you will have to manually delete the database and set up your Syspeace again. Please refer to this post on the matter
by Juha Jurvanen

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

#infosec #cloudsecurity #Syspeace – Host Intrusion Prevention Software on an external #Windowsserver #VPS in the #Cloud #IaaS #PaaS

Syspeace – Host Intrusion Prevention Software on an external Windows Server VPS in the Cloud

There are many variations of IaaS / PaaS / Cloud services.
Some are public clouds and some are hybrids and some are private.
There’s also the possibility rent an external VPS and use as a server at quite a few providers nowadays.

The IaaS/PaaS (Infrastracture as a Service/ Platform as a Service) provider gives you acces to a virtual server designed as to your needs when it comes to RAM and storage. Basically, it’s usually an empty server with an operating system.

Running IT solutions on an external VPS decreases the need for hardware investements but there are still things you need to consider and you need to manage your server the same way you would with any physical server i terms of monitoring security and tha availability of services and applications.

Logically, the server is reachable from the Internet which will make it a target.
Anything that is reachable will be targeted for intrusion attempts. The responsibility for Iaas/PaaS provider is simply to provide you with the Hypervisor needed to host you operating system and the rest is up to you. You install the applications, webservers and everything just as you would with a normal physical server.

Some aware Iaas/PaaS/Cloud service provders do have some kind of Appshop/Control panel where you can get preconfigured software such as an antivirus or even Syspeace for intrusion prevention but it’s not that common.

Remember that your VPS shares “IP-space” with other customers when it comes to the network at your provider and you have absolutely no idea of what your “neighbors” are doing and if they’re the slightest security aware.
They may hve been hacked without you knowing it (or them either for that matter) and they could have the IP address right next to you and their server could be used for instance for portscanning or hacking attempts against your VPS (if seen this quite a few times now).

Your IaaS/PaaS provider usually wouldn’t know since it’s not their responsibility. Their role is simply to provide you and their other customers with a VPS. Nothing more. No security monitoring, no antivirus, no application / services monitoring
In case of a larger DDoS attack, they probobaly have ways to handle them if it concerns their entire network and affects a lot of their customers but when it comes to attacks speciafically targetet at your VPS and your users on it, it’s a bit trickier.

Imagine the scenario you’ve set up a server, you got your users set up, installed your applications and services and it’s up and running. Now, rermember that there’s no connection nbetween you userdatabase and login mechanisms locally on the VPS and your IaaS/PaaS systems so they’ll actually never even get any alarms if some is trying to brute force your server or your webapplication. They will be alerted in case of a large DDoS attack against their entire netowrk but they will not be alerted in cases of a bruteforce attack targetetd against your VPS.
So, in short, it’s all up to you. There’s no differnce apart from your not running the server in your own datacenter or at a hosting company.

Protecting your Windows Server, Exchange, Terminal Server / RDS, Sharepoint, SQL Server, Citrix and more from intrusion attempts

If your running a Windows server as a VPS you need to set up Syspeace to automatically handle intrusion attempts and have them blocked, tracked and reported againts the Syspeace Global Blacklist.
You also need to secure the server in other ways such as an antivirus, have your services monitored, you webapplication login form secured both from malicios code and from brute force logins (this is also wher Syspeace comes into play since there are plugins available for various webplatforms to use against bruteforce attacks)

Syspeace is an automated Host Intrusion Prevention System (also called a HIPS) and is targeted to protect Windows servers, Exchange and OWA , Sharepoint, Terminal Server / RDS and the RDWEB login, Citrix , SQL Server and more from bruteforce / dictionary attacks. . It is easy to install, and easy to manage and you’ll set it up in a couple of minutes and you’re protected. Instantly.

As I’m writing this, Syspeace has succesfully blocked, tracked and reported over 2 921 200 (2.9 Million) brute force and dictionary attacks against Windows servers worldwide.

Have a look the Syspeace website for a free trial download or keep reading some of the previous articles I’ve written on various securiy aspects on server managagement such as Using various brute force and dictionary attack prevention methods to prevent hackers – and why they don’t work and Securing your #WinServ and #MSExchange with an acceptable baseline security

By Juha Jurvanen @ JufCorp

#infosec #cloudsecurity #Syspeace – Host Intrusion Prevention Software on an external #Windowsserver #VPS in the #Cloud #IaaS #PaaS

Syspeace – Host Intrusion Prevention Software on an external Windows Server VPS in the Cloud

There are many variations of IaaS / PaaS / Cloud services.
Some are public clouds and some are hybrids and some are private.
There’s also the possibility rent an external VPS and use as a server at quite a few providers nowadays.

The IaaS/PaaS (Infrastracture as a Service/ Platform as a Service) provider gives you acces to a virtual server designed as to your needs when it comes to RAM and storage. Basically, it’s usually an empty server with an operating system.

Running IT solutions on an external VPS decreases the need for hardware investements but there are still things you need to consider and you need to manage your server the same way you would with any physical server i terms of monitoring security and tha availability of services and applications.

Logically, the server is reachable from the Internet which will make it a target.
Anything that is reachable will be targeted for intrusion attempts. The responsibility for Iaas/PaaS provider is simply to provide you with the Hypervisor needed to host you operating system and the rest is up to you. You install the applications, webservers and everything just as you would with a normal physical server.

Some aware Iaas/PaaS/Cloud service provders do have some kind of Appshop/Control panel where you can get preconfigured software such as an antivirus or even Syspeace for intrusion prevention but it’s not that common.

Remember that your VPS shares “IP-space” with other customers when it comes to the network at your provider and you have absolutely no idea of what your “neighbors” are doing and if they’re the slightest security aware.
They may hve been hacked without you knowing it (or them either for that matter) and they could have the IP address right next to you and their server could be used for instance for portscanning or hacking attempts against your VPS (if seen this quite a few times now).

Your IaaS/PaaS provider usually wouldn’t know since it’s not their responsibility. Their role is simply to provide you and their other customers with a VPS. Nothing more. No security monitoring, no antivirus, no application / services monitoring
In case of a larger DDoS attack, they probobaly have ways to handle them if it concerns their entire network and affects a lot of their customers but when it comes to attacks speciafically targetet at your VPS and your users on it, it’s a bit trickier.

Imagine the scenario you’ve set up a server, you got your users set up, installed your applications and services and it’s up and running. Now, rermember that there’s no connection nbetween you userdatabase and login mechanisms locally on the VPS and your IaaS/PaaS systems so they’ll actually never even get any alarms if some is trying to brute force your server or your webapplication. They will be alerted in case of a large DDoS attack against their entire netowrk but they will not be alerted in cases of a bruteforce attack targetetd against your VPS.
So, in short, it’s all up to you. There’s no differnce apart from your not running the server in your own datacenter or at a hosting company.

Protecting your Windows Server, Exchange, Terminal Server / RDS, Sharepoint, SQL Server, Citrix and more from intrusion attempts

If your running a Windows server as a VPS you need to set up Syspeace to automatically handle intrusion attempts and have them blocked, tracked and reported againts the Syspeace Global Blacklist.
You also need to secure the server in other ways such as an antivirus, have your services monitored, you webapplication login form secured both from malicios code and from brute force logins (this is also wher Syspeace comes into play since there are plugins available for various webplatforms to use against bruteforce attacks)

Syspeace is an automated Host Intrusion Prevention System (also called a HIPS) and is targeted to protect Windows servers, Exchange and OWA , Sharepoint, Terminal Server / RDS and the RDWEB login, Citrix , SQL Server and more from bruteforce / dictionary attacks. . It is easy to install, and easy to manage and you’ll set it up in a couple of minutes and you’re protected. Instantly.

As I’m writing this, Syspeace has succesfully blocked, tracked and reported over 2 921 200 (2.9 Million) brute force and dictionary attacks against Windows servers worldwide.

Have a look the Syspeace website for a free trial download or keep reading some of the previous articles I’ve written on various securiy aspects on server managagement such as Using various brute force and dictionary attack prevention methods to prevent hackers – and why they don’t work and Securing your #WinServ and #MSExchange with an acceptable baseline security

By Juha Jurvanen @ JufCorp

#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange

Syspeace - intrusion prevention for Windows servers

Syspeace website

Is your VPS used for brute force attacks?

or I could also have called this post “Do you know whom your VPS is hacking today?”

A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS

The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.

What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .

There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.

The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.

In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.

Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.

What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.

You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.

Most Cloud Service Provers could inplement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from /free-download/download-plus-getting-started-with-syspeace/

Your “neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.

By Juha Jurvanen @ JufCorp

A walkthrough of getting #Syspeace licenses and how it works

Getting #Syspeace licenses and how it works.

From time to time we get an email from customers that have bought their Syspeace licenses and they ask for the license key that they expect to get in an email.

Here’s a walkthrough of how #Syspeace licensing actually works.

First you install a #Syspeace trial, register a valid email address and choose a password password (this is done in the initial setup of SysPeace ).

The license key is then email to that mailaddress.
This is the key that will also become the live license when you buy the license, There is no separate license key mailed to you if you purchase licenses.

Once you purchase the license, the Syspeace client will automatically be updated upon the next contact with the license server when it requests a new token to validate the license or the next time it is restared.

If you want to extend your Syspeace license to be valid for more servers, simply login to the Syspeace licensing page and extend your license and install Syspeace on the next servers , using the same license key.

When you extend the license, you also have to ability to align license renewals to fit your needs. As an example, if you bought a Syspeace license in april for 3 #Windowsservers and two months later you install an additional server. The easiest way is to extend the running license and simply adding a fourth server. This way you don’t have to have an administrative nightmare in order to rememember various license renewals for diferent servers.

If you’ve bought your license through a reseller such they’ll manage all of the administration for you.

Have a try for yourself and download a free, fully functional trial of Syspeace and have your #Windows #Server, #Exchange and #OWA , #SQL , #Citrix , #Terminal #RD #RDweb , #Sharepoint and more automatically #intrusion protexted in a minute.

#bruteforce attacks and #dictionary attacks blocked, tracked and reported.

So far , #Syspeace has blocked 2 042 900 #intrusion attempts worldwide!

By Juha Jurvanen – Syspeace reseller at JufCorp and independent IT Consultant

Syspeace 2.1.0 with SQL Server, Server 2012 support and more

Syspeace (@Syspeace) tweetade kl. 9:32 EM on tors, apr 18, 2013:
New version, 2.1.0, released today! Support for #SQLserver, #WinServ 2012 and all new Access Reports

Get the new version or free trial at
/downloads.aspx

Closing in on 1 Million blocked brute force and dictionary attacks on Windows Servers world wide

Just a quick post about the numbers so far really.

Last night , Syspeace had blocked 962 553 brute force and dictionary attacks on Windows 2003 / 2008 / SBS server / RDS servers / Citrix WorldWide.

As a prediction , we will reach over 1 Million later on this week or early next week. We think that’s pretty cool. Considering Syspeace has been publically available only since July 15th 2012..

New version coming up

Other news regarding Syspeace is that we’re beta testing the new release now that will support Windows Server 2012, SQL Server and also have a completely new reporting, sorting and exporting feature called Access Reports.

The new Access Reports feature lets you create reports on failed and succesful logins on your Windows Servers and export them to .CSV reports. The information is saved in the local database so even if the Windows Security Log is cleared, the information is still available for use in for instance forensics and other tasks.

For a free trial download of the brute force and dictionaray attack preventon software Syspeace, please refer to the Syspeace Download page.

Preview of the new Acces Reports feature in the upcoming Syspeace

This is a sneak preview of a new feature in the upcoming Syspeace to make sysadmins also be able to search, sort, create and export various reports to .CSV files on login activity on their Windows servers.

There will be even more things in the reporting and sorting functionality when we release it

Syspeace protects Windows servers, Exchange Servers, Remote Desktop Services, Citrix Servers, Sharepoint servers and more from brute force and dictionary attacks.
Syspeace works on Windows Server 2003, 2008 , 2088 R2 and SBS versions and an officially supported Windows Server 2012 and SQl Server support is underway,

For a free , fully functional trial please see Syspeace download

Getting the datacenter ready for the Holidays – a few thoughts

Note: This was written just before Christmas 2012 but it does apply to any longer holidays or vacations ../Juha Jurvanen

The Christmas holidays are coming up and most people look forward to them as always.

One aspect of the holidays though that might be worth to remember is that your serves might be more attacked during the holiday seasons since many hackers assume that your ususal vigilance for monitoring brute force attacka and dictionary attacks is lowered.

This year, Christmas Eve is on a Tuesday and for quite a few the time away from work can be up to a couple of weeks, including system administrators and techs.

The downside to this well-deserved leave is that it might give an attacker at least two weeks to try and hack your servers without anyone noticing it.

A few things you may want to do before you leave work for Christmas then.

Security patches

Make sure your servers and systems (such as firmware for switches, WiFi and so on) have all necessary security patches installed.

Antivirus status

Make sure your antivirus is running and updated.

Firewalls and WiFi entry points

Have a final look at any entrypoints to your networks i.e. have a look at firewall rules and WiFi access points. Shutdown everything that doesn’t need to be running.

Test servers

Have look around and see that you don’t have any unncessary test systems running, if for no other reason than to save money on current. If your test-serevrs are in a virtual environment, shut them down since they could pose a securiy risk. Test systems are always test systems.

External access via VPN

Make sure you don’t have any rogue VPN certificates out in the wild or any users active that should’t have access. Also, consider changing administrative passwords if it’s been a while.

UPS

Have a look at battery and charging levels for your UPS ,
Should a power failure occur and these things don’t work , you might be forced to fix a failed hardrive on Christnmas Evev and nobody wants that.

Hardware health checks

Check for any hardware errors in your monitoring sodtware (such as the HP Insight interface ) to see make sure you don’t have hard drives that are predicted to fail or any other hardwrae malfuncion going on.

Backups

Have a good look at your backups, logs and doublecheck they’re running correctly and that data is duplicated automatically. Especially for any backups that clear logsfiles sucha as Exchange backups, SQL Server backups . You don’t want to fill up yur system drives if ou’re not around to take care of it.

Contingency plan

Make sure there’s an updated plan in place with the correct phone numbers and contact info to the right staff and suppliers in case of an emergency. Have a look at the schedules to see who’s on call and make sure the plan is reachable, even if the datacenter isn’t.

Network monitoring

Install software for monitoring and scanning your network and have it alert via email for anything strange such as a new device on your network, a newly created user somewhere, mismatch in network configurations and so on. You could have a look at SpiceWorks that’s free and gets the job done if don’t have anything in pace now,

Brute force and dictionary attacks and intrusion detection

Install Syspeace to automatically block, trace and report any brute force attacks against your Windows, Citrix, Exchange OWA, Sharepoint, Terminal servers, Sharepoint and so on.

I’m sure there’s even more things that might be worth doing but this is a start anyway.

By Juha Jurvanen – Senior IT Consultant