Posts

How to battle slowgrind #bruteforce attacks against #msexchange #windows server #remotedesktop #sharepoint with #Syspeace

Syspeace automatically blocks attacks that occur according to the rules.
The default rule is that if an intruder fails to login more than 5 times within 30 minutes, the intruders IP address is blocked, tracked and reported for 2 hours and simply is denied any access to the server.

A new trend though has emerged and that is for bruteforce attackers to “slowgrind” through servers, trying to stay “under the radar” really from IDS/IPS HIPS/HIDS such as Syspeace.
They’ve got thousands and thousands of computers at their disposal so they’ll basically just try a few times at each server and then move on to next one in the IP range or geographical location hoping not to trigger any alarms or hacker countermeasures in place.

An easy way to battle this is actually simply to change the default rule in Syspeace from the time windows of 30 minutes to for example 5 days.

This way , I’m pretty sure you’ll see there are quite a few attackers that only tried 2 or three times a couple of days ago and they’re back again but still only trying only a few times.

With the “5 day” windows, you’ll catch and block those attacks too.

Here’s actually a brilliant example of an attack blocked, using a 4 day window.

Blocked address 121.31.114.99() [China] 2014-08-11 15:06:00
Rule used (Winlogon):
        Name:                   Catch All Login
        Trigger window:         4.00:30:00
        Occurrences:            5
        Lockout time:           02:00:00
        Previous observations of this IP address:
        2014-08-11 13:05:51     aksabadministrator
        2014-08-10 22:06:48     aksabadministrator
        2014-08-10 06:39:12     aksabadministrator
        2014-08-09 15:39:52     aksabadministrator
        2014-08-09 00:32:05     aksabadministrator

Syspeace has blocked more than 3 285 300 intrusion attempts against Windows Servers worldwide so far.

#Infosec When and where is Syspeace useful for intrusion prevention ?

In what scenarios Syspeace is useful for preventing brute force attacks? Do I need it if I’ve only got a Windows workstation?

Syspeace - intrusion prevention for Windows servers

Syspeace website

Syspeace is an intrusion prevention software mainly targeted for Windows Servers, SBS Server, RDS TS Servers, RDWeb, Sharepoint Servers, SQL Server, Exchange, Sharepoint, Citrix and so on but it will also run on Windows 7 and above for home use.

To have a real use for Syspeace these conditions need to be met

1. You need to have enabled remote access to your server / workstation.

2. You need to have set up some kind of portforwarding in your external firewall to your server / workstation. If you are for instance on a standard broadband connection and you haven’t done anything with the default rules in your boradband modem, your workstation is probably not reachable from the Internet thus making a Syspeace installation quite unecessary and waste of RAM and COPU for you, minimal of course but still. There is no need to have software installed in any computer environment that actually doesn’t do anything for you. It’s a waste of resources.  

3.The same goes for servers although in a server environment you might want to have Syspeace installed to monitor and handle internal brute force attacks since Syspeace works just as efficently whetheter the attack is externla or internal. It will even block a workstation trying to connect to netowrk shares via the command prompt using “net use * \servernamesharename” command. Have a look at his entry for instance http://syspeace.wordpress.com/2013/09/25/syspeace-for-internal-brute-force-protection-on-windows-servers/

4. There could be a scenario where you have for instance your own hosted WorPress Blog that is reachable from the Internet . Please refer to http://syspeace.wordpress.com/2013/04/24/syspeace-for-protecting-wordpress-from-brute-force-attacks/ for an idea on brute force prevention for WordPress Blogs.

5. In server envirenments you might have Syspeace installed not only for intrusion prevention but also to have a good reporting on various user login activity that can be viewed and exported in the Access Reports Section.

6. If you’re using mainly Cloud Services or a managed VPS ,the intrusion prevention should be handled by your Cloud Service Provider . Here’s an older blog post on how to have verify how your provider handles hacking attacks : http://syspeace.wordpress.com/2012/11/19/securing-cloud-services-from-dictionary-attacks-hack-yourself/

There is a fully functional, free 30 day trial for download at /free-download/download-plus-getting-started-with-syspeace/ .
Give it a try and have your Windows Server instantly protected from dictionary attacks and brute force attacks. The installtion is small, quick and very easu to set up. You’re up & running in 5 minutes and there’s no need to chnage your current infrasctructure, invest in specific and usually expensive hardware or hire external consultants.

By Juha Jurvanen @ JufCorp

A walkthrough of getting #Syspeace licenses and how it works

Getting #Syspeace licenses and how it works.

From time to time we get an email from customers that have bought their Syspeace licenses and they ask for the license key that they expect to get in an email.

Here’s a walkthrough of how #Syspeace licensing actually works.

First you install a #Syspeace trial, register a valid email address and choose a password password (this is done in the initial setup of SysPeace ).

The license key is then email to that mailaddress.
This is the key that will also become the live license when you buy the license, There is no separate license key mailed to you if you purchase licenses.

Once you purchase the license, the Syspeace client will automatically be updated upon the next contact with the license server when it requests a new token to validate the license or the next time it is restared.

If you want to extend your Syspeace license to be valid for more servers, simply login to the Syspeace licensing page and extend your license and install Syspeace on the next servers , using the same license key.

When you extend the license, you also have to ability to align license renewals to fit your needs. As an example, if you bought a Syspeace license in april for 3 #Windowsservers and two months later you install an additional server. The easiest way is to extend the running license and simply adding a fourth server. This way you don’t have to have an administrative nightmare in order to rememember various license renewals for diferent servers.

If you’ve bought your license through a reseller such they’ll manage all of the administration for you.

Have a try for yourself and download a free, fully functional trial of Syspeace and have your #Windows #Server, #Exchange and #OWA , #SQL , #Citrix , #Terminal #RD #RDweb , #Sharepoint and more automatically #intrusion protexted in a minute.

#bruteforce attacks and #dictionary attacks blocked, tracked and reported.

So far , #Syspeace has blocked 2 042 900 #intrusion attempts worldwide!

By Juha Jurvanen – Syspeace reseller at JufCorp and independent IT Consultant

Preview of the new Acces Reports feature in the upcoming Syspeace

This is a sneak preview of a new feature in the upcoming Syspeace to make sysadmins also be able to search, sort, create and export various reports to .CSV files on login activity on their Windows servers.

There will be even more things in the reporting and sorting functionality when we release it

Syspeace protects Windows servers, Exchange Servers, Remote Desktop Services, Citrix Servers, Sharepoint servers and more from brute force and dictionary attacks.
Syspeace works on Windows Server 2003, 2008 , 2088 R2 and SBS versions and an officially supported Windows Server 2012 and SQl Server support is underway,

For a free , fully functional trial please see Syspeace download

Syspeace now also for Windows 2003 Server

We’re happy to annonuce that the 2.0 version of Syspeace now also supports Windows 2003.

A few other changes in there are that the engine is rewritten to be even faster, the GUI has been simplified and we’ve done a few other changes “under the hood” to make it more modular for future development for new functions.

If you’re looking for an easy to use , cost efficient brute force and dictionary attack intrusion prevention software for Windows Servers on Windows 2003, 2008 2008 R2, 2003 SBS, 2008 SBS and so on.

We have also tested it on Windows 2012 but the official support will come later, but so far though, it has worked as expected.

Once you install Syspeace it protect your Citrix, Sharepoint, Exchange OWA, Terminal Servers and more ..

Have a look at Syspeace.,

The fully working trial is absolutely free for one month