Posts

Using Syspeace for a targeted bruteforce attack against a specific username

Today we had an interesting support question actually.

Someone is trying to bruteforce a customer using the same account name but from a lot of different IP addresses and they only try once or twice from each IP address thus not triggering Syspeace to block the IP address based on the default rule.

The suggestion that we eventually came up with is to create a rule based on the user name and set the allowed attempts to only 1 failed attempt. therefore making Syspeace block the IP address immediately.

In this scenario though, one must also keep in mind though that legitimate user will get blocked out instantly after one failed try so there might be a good reason to white list the IP addresses that this user usually logs in from.

Furthermore, the reason for this specific and targeted user attack should be inestigated more closely and also be handed over to the proper authorities for investigation.

How Syspeace licensing works

Syspeace licensing – a walkthrough

The licensing model for Syspeace is very flexible and easy to use and has been to designed to keep your administrative tasks to a minimum.

First of all, if you haven’t already, download a free trial and install it. Your servers are protected from brute force and dictionary attacks within minutes.

Regsiter your account with a valid email address and a license number will be emailed to you.

If you decide to continue using Syspeace for protecting your Windows servers, Exchange Servers OWA, Citrix, Terminal Server, CRM, RDWEB, Sharepoint and so on then ..

Simply login to the Syspeace licensing site with the mail address you used upon registration, buy your license and the trial license you’ve used earlier will be automatically converted into live license the next time your Syspeace client validates the license or the service is restarted.

So, there is no need to change the license number , you’ve already got it .

A main feature of the Syspeace licensing model is the flexibility – rethinking application licensing models

Instead of having to buy licenses for instance a 1 year licens at a time per server (which is not uncommon) or having to buy a new license / upgrade license when a major release is up , you buy licenses based on computer days and for how many servers you want.

As an example. If you’ve got a server today and you want to get a “classic” one year licese for it (everyone tends to think in terms of one year licenses I guess) , you login to the site, get your license and you’re good to go.

Two months later, you buy another server and of course you want that server also to be protected from brute force and dictionary attacks.

Ususally this would get you into the situation where you’d have two different license renewal-dates to remember and that’s just a hazzle for everyone.

With Syspeace though, you simply login and extend your existing license for 10 months and to two servers, thus enabling you to align your license renewal dates to tha same date and therefore simplifying your administration.

With Syspeace minor and major upgrades and even all new versions and patches are included in the license.
Should we release new features or a new major version, it’s already included.
No need to buy a license for version 1 thinking all is good and when version 2 comes along , you realize you’ll have to get an upgrade license to use all the new features.

Moving Syspeace licenses between servers

Also another feature that makes you life easier.

Within the licensing section of Syspeace, there is a “Reset license” button. Simply press that and the license is reset from the local server and the server is removed from the central database along with its affilation to the license number.

Next step is to install Syspeace on the new server where you want it, activate your license key and you’re good to go.

How to setup syspeace for rdp – intrusion prevention for Windows servers

This is actually just a post based on some of the search terms that have led to people finding this blog.

So,

how to setup syspeace for rdp

..
Actually , it might take you longer to read this blogentry than actualy set it up.

1. Go to the Syspeace website and download the software at /downloads.aspx

2. Read the requiremnets in the manual:

System requirements
Operating system: Windows 7, Windows Server 2003, Windows Server 2008/2008 R2 (32 or 64 bit), Windows Small Business Server SBS 2008 and so on . (We are currently working on the Windows Server 2012 validation and we have tested it successfully but in certain scenarios the source IP address isn’t displayed in the evenlog. This is a Windows Server issue)
.Net 4 (if not installed, it wil be installed for you )
1GB free disk, minimum 500M RAM.
Auditing
Auditing for failed login and successful log in switched on in local security policy or in the group policy for the domain. This will enable events in the event-log that Syspeace listens for.
Firewall
The built-in firewall in Windows must be up and running.

3. Install Syspeace which is quite straight forward

4. Start the GUI and type in a valid mailaddress to get your 30 day free trial license key emailed to you. This emai address is also going to be the account emai you need tp use when purchasing the license.

4. Paste the license number and the GUI will start.

5. By default, the Syspace service is NOT started.

6. Cllick teh Settings button and review the default rules (called the “Catcha all” rule” and alse set up messaging for blocked attacks (whom to alert, whom to emai license inforamtkion and so on )

7. Close the Settings section. Click the “START” butto and you’re done.

Now, your Windows server is instantly protected from brute force and dictionary attacks against youe Exchange Webmail OWA, Terminal Servers on RDP (terminal services, remote desktop services, remote app sessions) and the webinterface called RDWEB, your Sharepoint login , your Citrix server, winlogon services and even more.

There’s really not that much more to it.
Since the intrusion prevention for Syspeace monitor the Windows Server Evnetlog , it doens’t matter if you have set up RDP on other ports or if you are using a proxy. Sysoeace is a HIDS (Host Instrusion Protection System) thus eliminating the need for separate hardware, expensive consulans and redesigning you infrastructure.

Just sit back and start recieving resports and emails when an attack is blocked, tracked and reported.

About Syspeace and it’s background

By Juha Jurvanen
Senior IT consultant in backup, IT security, server operations and cloud

Juha Jurvanen, Product Manager @ Syspeace CTO and Cloud Arctitect @ Red Cloud iT Independent consultant in backup, server operations, security and cloud @ JufCorp

Pic of Juha Jurvanen, Product Manager of Syspeace

The goal with Syspeace is to simplify security management and prevent brute force hacking, primarily in Microsoft Windows Server environments and is targeted at system administrators that manage servers, either ther own ones or for external customers or even in data centers such as cloud service providers.
Syspeace automates intrusion attempts, brute force attempts,  (eventid 4625) on Microsoft Exchange servers (including the OWA interface and protecting the receive connectors) , Microsoft Terminal Servers and basically any Windows server that uses Windows Authentication such as Sharepoint, Exchange, Terminal Server, Citrix, SQL Server and so on.Around the clock. .

Background and history
The background of the product is that within the Swedish-based cloud service, rCloud Office , from Red Cloud IT where I was the Cloud Architect and CTO , the realization of how many excessive login attempts generating eventid 4625 (failed login , unknown username or password ) from all around the world there really was and that this needed to be automated in aspects of the  administration of it and to tighten security since no brute force prevention is built into Windows. I also quickly realized that none of the other Cloud Service providers has any of this in place and this scared me.

A single attack could render in 5000-6000 login attempts and go on for 2-3 hours. This was a waste of bandwidth, server RAM and CPU since each login-attempt had to be validated and there was always the fear of someone actually succeeding to login or that a user account could be blocked out deliberately just to cause a DOS for the services.

For each brute force attempt most labour was manual and time consuming 

  • First, the log files had to be checked in Windows Server eventlog.
  • Second , the attack had to be manually blocked the incoming IP adress in the firewall.
  • As a third step attacker had to be traced with TRACERT and NSLOOKUP and WHOIS to determine from where it originated and decide when it would be suitable to handle it as a police matter or not.

At night, no one actually could handle an attack so it would be managed the next day which left us vulnerable during off-hours.

Of course this manual labour took quite some time the realization came quickly that it would become an absolute nightmare in the end if something wasn’t done. All customer expect these countermeasures to in place.

The need for something to automatically block the intrusion attempt, notify us the IP address and from where the attack was made popped up

I started searching the Internet for a cost effective, easily administered with  graphical interface and  yet effective solution.

There were a few simple script solutions out there but unfortunately, none of them really matched what was to be accomplished  i.e. block the intrusion attempt based on rules, track down the attacker geographically and unblocking the IP automatically and reporting the attack.

It had to have the ability to easily manage WHITE LISTS, preemptive BLACK LIST,  handle SMTP AUTH attacks and quite a few other features as well that just couldn’t be accomplished with scripts. It had to be easy to use with a graphical management interface to keep the administration and the learning process to a minimum and the autoblocker had to run as an integrated Windows service for optimal performance.

The idea and concepts takes shape

I came up the idea and a concept on how to get the job done, wrote down a few technical ideas and specs, wrote some proof of concepts  and thought about the idea and how to actually accomplish it and came across the guys of the Syspeace develepment team at Treetop and work began. Since I’m not a developer myself, I thought I’d leave the hardcore development to people who actually know what they’re doing.
I’m the guy with concepts and ideas but when it comes to actually writing code.. well.. I’m not a first hand choice. I’ve got a few a more ideas up my sleeve but let me get back to you on that 🙂

After the first alpha test we also realized quickly we needed to add some more intelligence to it as,  for instance, if an IP fails to log in x number of times during x amount of time and then succeeds, the system shouldn’t remember it as a possible attacker and be blocked further down the road for a failed attempt. People are still human and sometimes people type in the wrong password. A lot of work has beent put into the intelligence “under the hood” of Syspeace.

We also realized that the software works just as well protection your servers from LAN connections, giving you a better understanding of what really goes on woith your users and if someone on your LAN is trying to access resources they’re not supposed to or if someone has been infected with some kind of brute force – virus.

Syspeace today

Today, we get an email stating from where the attack originated (the DNS name if found, the IP address and from which country the attack originated). We’ve got reporting, separated mail notifications depending on events and we’re adding more and more features all the time.

We also get username that was tried which is extremely helpful since we immediately can see if it is just “background noise attack” or if it is targeted specifically  or even worse, a competitor tries to login to the central systems without explicit permission or an ex-employee/ex-customer  is trying to access an account that they no longer are authorized to.

See for yourself and download a free trial

Have a look at the Syspeace website to see what we came up with and download a free trial for yourself.

So far Syspeace has successfully blocked over 2,5 Million  brute force attacks worldwide and I dare say it has decreased the workload for quite a few system administrators out there.
Syspeace supports Windows Servers 2003 – 2012 R2.

Juha Jurvanen

Senior IT consultant in backup, IT security, server operations and cloud

Syspeace - brute force protection for Windows servers

Syspeace – brute force protection for Windows servers

175 000 + brute force attacks on Windows automatically blocked so far by Syspeace

We had a look at the number the other day and since July 15:th we’ve successfully helped system administrators avoid over 175 000 brute force attempts on Windows servers world wide.

One of the key features in Syspeace is the GBL (Global Blacklist) that automatically analyzes and weighs every attack on every Syspeace installation and distributes the ones deemed too recurring to all other installations , thus making each Syspeace protected preemptively when the attacker comes to visit.

Syspeace is designed to automatically block, trace and report the brute force attack , thus giving system administrators less headache with all of the manual steps that has to be done for each attack. This means lower costs for administration and security work.

We thought it might be worth mentioning .

Download your own free 30 day trial at /downloads.aspx

Cheers

 

Juha Jurvanen and the Syspeace team

 

 

New Syspeace 1.1.30 with brand new analysis feature released

Hi, Everyone.
As always we are trying to come up with new ideas and implement stuff we’ve had in our roadmap for a long time now.

Today we’ve released a new version of Syspeace with a few new features.

The major news is that there’s now a new feature in the Attack Control Section for further analysis.

The analysis section enables you to create reports on specific IP addresses, usernames or domain or do the reversed, i.e. find out all of the ones who are NOT a specific IP address, domain or username. Or sort out the ones with successful logins or only the ones with failed logins.

As a side note , we’re also happy to tell you that we’ve so far, since July 15th, have helped you guys block 73 000 + brute force attempts, gathered them, classified them, added some of them to the GBL that we introduced in 1.1.10 and thus helped you to be preemptively defended by getting this distrubited to all of the other Syspeace installations around the world.

ABOUT OLDER VERSIONS

Those of you still running an older version (prior to  1.20) we would highly recommend you had a look at the newer versions and the stuff we’ve put in there.

Here’s a list of what we’ve been up to so far:

Date Version Updates
19/9 1.1.30 Upgraded the Attack control: improved search and added analysis of login statistics.
11/9 1.1.23 Fixed bug where new installations would have problems with the reporting feature.
10/9 1.1.22 Updated registration process in GUI.
4/9 1.1.21 Fixed e-mail bug.
3/9 1.1.20 Added daily and weekly reporting.
7/8 1.1.10 Added global blacklist.
29/7 1.1.5 Fixed SMTP to work with Gmail.
15/7 1.1.0 First version! Basic functionality for securing a server from unauthorized login-attempts.

To download the newest version for trial or purchas pleas visit Syspeace download page

As we’ve stated earlier, the older version will run until 2012-12-31 but maybe you would be interested in the new features we’ve added?

For anyone running 1.20 + we’d highly recommend upgrading if you have the possibility and since we’ve also taken care some minor bugs in the Global Black list function.

 

ABOUT THE FUTURE OF SYSPEACE AND OUR ROADMAP

Our roadmap for the nearest future is to start looking more closely into a Windows 2003 version since it’s been frequently asked by you guys.

While on the subject of our roadmap!

We’ve decided to start using Uservoice to gather you inputs, ideas and feature requests.

You’re all welcome to join us and share your ideas  in there.

The ones that gets the highest rating and scores will of course get a faster pace in our roadmap since our goal is to make Syspeace something that helps everyone to make their everyday Windows server administration easier and more secure

Have a look at the Uservoice site at http://syspeace.uservoice.com

Of course, you’re always welcome to mail us also as you’ve done before. We’re here and we love getting your feedback.

 

Thanks for taking the time to read this and have a peaceful, brute force-free day!

 Cheers
Juha Jurvanen & The Syspeace team
Syspeace - brute force protection for Windows servers

Syspeace – brute force protection for Windows servers