Posts

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

#infosec #Syspeace for intrusion prevention for #windowsserver instead of specific applications or services such as #FileZilla FTP Server or #WordPress

Syspeace for intrusion prevention for the entire server instead of specific applications or services such as FileZilla Server

If you’re managing a server and host various applications and services all of them are reachable for your users and and customers but most likely, and quite often, they’re also reachable for others to try to log in.

To be cost effective, you could be using using a Terminal Server (or Remote desktop Server) and you’ve also got for instance a FileZilla FTP Server to ease file transfers (or the Microsoft IIS FTP server, my hunch is that these two are the most common ones if you’re running a Windows Server environment) and there’s a web interface for the remote applications and so on . There might also be other services on the same server/servers.

Built in intrusion prevention in applications or Windows Server

Some software actually have brute force prevention built into them, such as the FileZilla FTP Server (although, keep in mind that is it not enabled by default) and there could be other software installed that have intrusion prevention built into them. Not within Windows Server though and there are quite a few articles on this blog explaining how it works such as this one about securing your Exchange OWA

An atacker will first portscan your server, search for open ports and try to figure out what services and applications you’re running on them. Even if you’ve changed the default ports, quite often the application will actually reveal itself in the header what it is and what version it is.

You can for instance simply do a telnet session to the port in question and see what your applications actually reveal about themselves.
Simply start a telnet client and connect to the port you’re interested in such as port 25 for SMTP (email) or port 21 for FTP and you’d probably get at least some information on what is running on the server. To gather more detailed and complex information, you probably be using software like nmap.

After that, tbey’ll simply use automated scripts to try and login. If there is a block in some way on for instance FileZilla FTP Server they’ll simply move on to the next port/service , like the RDWeb interface for Remote Desktop and RemoteAPP services and continue the attack since they’d only been blocked on the FTP level so far (usually port 21) Here’s a >previous article describing parts of the anatomy in a hacking attack written by Juha Jurvanen.

If you’re hosting a multiple software and srevices on a server and each of them have brute force prevention builtin , they’ll only block the attack within their own part of the system.
FileZilla will block the brute force on FTP but nothing else.

Using Syspeace as your HIPS , Host intrusion Prevention System for Windows Servers

A key difference using Syspeace as a HIPS (Host Intrusion Prevention System) is that it will block the attacker entirely on all ports if they trigger any of the detectors, rendering the attacker unable to communicate at all with your server on any port (even ping), thus automatically protecting any other service you have running on it.

To illustrate this with something in the “real” world.
If you’ve got a house with multiple doors, the attacker would first try their keycard/key in one of the doors to try to gain access into the house until an alarm is triggered and they would have to move on, but only for that specific door.
After that they’d keep using the keycard/key on the next door and so on.
With Syspeace, they’d only be able to use the keycard on the first door until the alarm is triggered and after that they would be automatically blocked from even trying to use the keycard on any of the other doors since the doors would have “magically” disappeared for them and would be out of reach for them. It would be as if the actual building itself would have disappeared for them.

Download a fully functional, free Syspeace trial for intrusion prevention or even if you’re under attack of a brute force or dictionary attack

Have a look at the Syspeace website and try the fully functional trial for it and see how it can help you to easily and quickly brute force protect your server. We’ve had users downnloading Syspeace and implementing it in minutes during a dictionary attack to have Syspeace automatically deal with it and to block, trace and report the attack. Since the trial is fully functional and free and it only takes a few minutes to set it up, it can be an easy solution to handle an ongoing attack.

Syspeace supports Windows Server 2003 and on (including the Windows Server Small Business versions), SQL Server, Remote Desktop, Exchange Server, Sharepoint, Exchange OWA, RDWeb , Citrix and more. Out of the box. It actually also support Windows 7 and Windows 8 but please refer to his article on when Syspeace is actually useful for you and when it’s not.

Syspeace has blocked more than 3 126 500 brute force and dictionary attackas targetaed agains Windows Servers worldwide.

The Syspeace team has also developed a FileZilla FTP Detector that is in beta and also an Microsoft IIS FTP detector.
We’ve also released a detector for selfhosted WordPress and we’ve released the Syspeace API for .PHP and .NET to enable our users to develop their own intrusion prevention for applications instead of being forced to develop protection into applications themselves from scratch.
The Syspeace API can also be used to protect spcific websites if you’re hostng multiple websites.

#infosec #cloudsecurity #Syspeace – Host Intrusion Prevention Software on an external #Windowsserver #VPS in the #Cloud #IaaS #PaaS

Syspeace – Host Intrusion Prevention Software on an external Windows Server VPS in the Cloud

There are many variations of IaaS / PaaS / Cloud services.
Some are public clouds and some are hybrids and some are private.
There’s also the possibility rent an external VPS and use as a server at quite a few providers nowadays.

The IaaS/PaaS (Infrastracture as a Service/ Platform as a Service) provider gives you acces to a virtual server designed as to your needs when it comes to RAM and storage. Basically, it’s usually an empty server with an operating system.

Running IT solutions on an external VPS decreases the need for hardware investements but there are still things you need to consider and you need to manage your server the same way you would with any physical server i terms of monitoring security and tha availability of services and applications.

Logically, the server is reachable from the Internet which will make it a target.
Anything that is reachable will be targeted for intrusion attempts. The responsibility for Iaas/PaaS provider is simply to provide you with the Hypervisor needed to host you operating system and the rest is up to you. You install the applications, webservers and everything just as you would with a normal physical server.

Some aware Iaas/PaaS/Cloud service provders do have some kind of Appshop/Control panel where you can get preconfigured software such as an antivirus or even Syspeace for intrusion prevention but it’s not that common.

Remember that your VPS shares “IP-space” with other customers when it comes to the network at your provider and you have absolutely no idea of what your “neighbors” are doing and if they’re the slightest security aware.
They may hve been hacked without you knowing it (or them either for that matter) and they could have the IP address right next to you and their server could be used for instance for portscanning or hacking attempts against your VPS (if seen this quite a few times now).

Your IaaS/PaaS provider usually wouldn’t know since it’s not their responsibility. Their role is simply to provide you and their other customers with a VPS. Nothing more. No security monitoring, no antivirus, no application / services monitoring
In case of a larger DDoS attack, they probobaly have ways to handle them if it concerns their entire network and affects a lot of their customers but when it comes to attacks speciafically targetet at your VPS and your users on it, it’s a bit trickier.

Imagine the scenario you’ve set up a server, you got your users set up, installed your applications and services and it’s up and running. Now, rermember that there’s no connection nbetween you userdatabase and login mechanisms locally on the VPS and your IaaS/PaaS systems so they’ll actually never even get any alarms if some is trying to brute force your server or your webapplication. They will be alerted in case of a large DDoS attack against their entire netowrk but they will not be alerted in cases of a bruteforce attack targetetd against your VPS.
So, in short, it’s all up to you. There’s no differnce apart from your not running the server in your own datacenter or at a hosting company.

Protecting your Windows Server, Exchange, Terminal Server / RDS, Sharepoint, SQL Server, Citrix and more from intrusion attempts

If your running a Windows server as a VPS you need to set up Syspeace to automatically handle intrusion attempts and have them blocked, tracked and reported againts the Syspeace Global Blacklist.
You also need to secure the server in other ways such as an antivirus, have your services monitored, you webapplication login form secured both from malicios code and from brute force logins (this is also wher Syspeace comes into play since there are plugins available for various webplatforms to use against bruteforce attacks)

Syspeace is an automated Host Intrusion Prevention System (also called a HIPS) and is targeted to protect Windows servers, Exchange and OWA , Sharepoint, Terminal Server / RDS and the RDWEB login, Citrix , SQL Server and more from bruteforce / dictionary attacks. . It is easy to install, and easy to manage and you’ll set it up in a couple of minutes and you’re protected. Instantly.

As I’m writing this, Syspeace has succesfully blocked, tracked and reported over 2 921 200 (2.9 Million) brute force and dictionary attacks against Windows servers worldwide.

Have a look the Syspeace website for a free trial download or keep reading some of the previous articles I’ve written on various securiy aspects on server managagement such as Using various brute force and dictionary attack prevention methods to prevent hackers – and why they don’t work and Securing your #WinServ and #MSExchange with an acceptable baseline security

By Juha Jurvanen @ JufCorp

#infosec #cloudsecurity #Syspeace – Host Intrusion Prevention Software on an external #Windowsserver #VPS in the #Cloud #IaaS #PaaS

Syspeace – Host Intrusion Prevention Software on an external Windows Server VPS in the Cloud

There are many variations of IaaS / PaaS / Cloud services.
Some are public clouds and some are hybrids and some are private.
There’s also the possibility rent an external VPS and use as a server at quite a few providers nowadays.

The IaaS/PaaS (Infrastracture as a Service/ Platform as a Service) provider gives you acces to a virtual server designed as to your needs when it comes to RAM and storage. Basically, it’s usually an empty server with an operating system.

Running IT solutions on an external VPS decreases the need for hardware investements but there are still things you need to consider and you need to manage your server the same way you would with any physical server i terms of monitoring security and tha availability of services and applications.

Logically, the server is reachable from the Internet which will make it a target.
Anything that is reachable will be targeted for intrusion attempts. The responsibility for Iaas/PaaS provider is simply to provide you with the Hypervisor needed to host you operating system and the rest is up to you. You install the applications, webservers and everything just as you would with a normal physical server.

Some aware Iaas/PaaS/Cloud service provders do have some kind of Appshop/Control panel where you can get preconfigured software such as an antivirus or even Syspeace for intrusion prevention but it’s not that common.

Remember that your VPS shares “IP-space” with other customers when it comes to the network at your provider and you have absolutely no idea of what your “neighbors” are doing and if they’re the slightest security aware.
They may hve been hacked without you knowing it (or them either for that matter) and they could have the IP address right next to you and their server could be used for instance for portscanning or hacking attempts against your VPS (if seen this quite a few times now).

Your IaaS/PaaS provider usually wouldn’t know since it’s not their responsibility. Their role is simply to provide you and their other customers with a VPS. Nothing more. No security monitoring, no antivirus, no application / services monitoring
In case of a larger DDoS attack, they probobaly have ways to handle them if it concerns their entire network and affects a lot of their customers but when it comes to attacks speciafically targetet at your VPS and your users on it, it’s a bit trickier.

Imagine the scenario you’ve set up a server, you got your users set up, installed your applications and services and it’s up and running. Now, rermember that there’s no connection nbetween you userdatabase and login mechanisms locally on the VPS and your IaaS/PaaS systems so they’ll actually never even get any alarms if some is trying to brute force your server or your webapplication. They will be alerted in case of a large DDoS attack against their entire netowrk but they will not be alerted in cases of a bruteforce attack targetetd against your VPS.
So, in short, it’s all up to you. There’s no differnce apart from your not running the server in your own datacenter or at a hosting company.

Protecting your Windows Server, Exchange, Terminal Server / RDS, Sharepoint, SQL Server, Citrix and more from intrusion attempts

If your running a Windows server as a VPS you need to set up Syspeace to automatically handle intrusion attempts and have them blocked, tracked and reported againts the Syspeace Global Blacklist.
You also need to secure the server in other ways such as an antivirus, have your services monitored, you webapplication login form secured both from malicios code and from brute force logins (this is also wher Syspeace comes into play since there are plugins available for various webplatforms to use against bruteforce attacks)

Syspeace is an automated Host Intrusion Prevention System (also called a HIPS) and is targeted to protect Windows servers, Exchange and OWA , Sharepoint, Terminal Server / RDS and the RDWEB login, Citrix , SQL Server and more from bruteforce / dictionary attacks. . It is easy to install, and easy to manage and you’ll set it up in a couple of minutes and you’re protected. Instantly.

As I’m writing this, Syspeace has succesfully blocked, tracked and reported over 2 921 200 (2.9 Million) brute force and dictionary attacks against Windows servers worldwide.

Have a look the Syspeace website for a free trial download or keep reading some of the previous articles I’ve written on various securiy aspects on server managagement such as Using various brute force and dictionary attack prevention methods to prevent hackers – and why they don’t work and Securing your #WinServ and #MSExchange with an acceptable baseline security

By Juha Jurvanen @ JufCorp

#infosec Moving #Syspeace licenses between servers

The Syspeace licensing model is a flexible and easy to use model.

The license you used for the free trial is automatically converted into a live a license when you purhase a license. You don’t need to reconfigure.

You decide for youself if you want use Syspeace for a year at a time or for example 2 months and on how many servers you want to divide the number of computerdays.

You can use the same licensenumber on multiple servers and the central licensing server keeps track of licensing for you and you can easily extend you existing license.

If you need to move the license from one server to another, simply start the Syspeace GUI, find the reset license button and reset. Install Syspeace on the new server and you’re good to go.
Another way is to simply stop the Syspeace service on the old server and install on the new server, using the same licensenumber.

All updates and new, generic detectors are free to download for valid licensesowners and trialusers.

If you’re hosting servers or have many servers the easiest approach is probably to have one Syspeace account and use the same license for all servers but if you’re managing multiple external servers you’d probably want to have a separate Syspeace account for each customer for instance ACME @ YourCompany.
This way you’ll easily keep track of the administrative part with your invoicing.

By Juha Jurvanen @ JufCorp

#infosec Do bruteforce attacks really exist ?

The other day I sat down and just looked at various statistics on how the visitors ended up here in terms of referrers and keyword searches and one of the terms was “do bruteforce attacks really exist ?”.

This made me smile.

Syspeace has so far blocked over 2.77 Million bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix and #SQLServer worldwide so I dare say they really do exist and they’re very common.

We’ve also published a 30 day list of the most commonly attacked and attacking countries as reported by Syspeace installations around the world. It might be interesting read for you and it can be found here, Syspeace worldwide security staus center.

One of the features of Syspeace is for instance the Syspeace Global Blacklist that is distributed automatically to all Syspeace installations.
If an attacker has been deemed to have attacked X number of different Syspeace customers and Y number of times, it will be automatically put in the GBL and distributed to all other Syspeace installations, making them preemtively blocking the attacking IP address from ANY communicating with their servers that have Syspeace installed.

Any #Cloud service provider or any #outsourcing or #service provider or also any IT techs at a company knows there are hundreds and thousands of intrusion attacks every month but historically these attacks, also called dictionar attacks , have been very hard to deal with so in essence, they’ve given up. Some providers or companies actually don’t even bother turning on logging on the servers, simply turning a blind eye to the actual problem. From an operational point of view, security point of view and from the customers point of view this is of course not acceptable.

There are some previous posts on why it’s been so difficult on this blog for instance this one, Why firewalls, vpns, account lockout policies  and other bruteforce prevention methods aren’t enough.

After we launched Syspeace , service providers, Cloud providers and companies have been given a new, cost efficient, easy to set up and easy to use countermeasure against hacking attempts.

No need to change your infrastructure, hire costly consultants and launch a big, costly project.
Simply download Syspeace trial , install it in a minute and your #remotedesktop #msexhange #Sharepoint #windowsserver is protected.
It couldn’t be easier and frankly, it should be the part of any #Windowsserver Baseline security just as you’ve got antivirus, backups, patch management in place.

Enable logging on your Windows server as described in the Syspeace manual and see for yourself if you’re targeted. You might be surprised.

By Juha Jurvanen – Senior IT Consultant @ JufCorp

image

Syspeace - intrusion prevention for Windows servers