Posts

#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange

Syspeace - intrusion prevention for Windows servers

Syspeace website

Is your VPS used for brute force attacks?

or I could also have called this post “Do you know whom your VPS is hacking today?”

A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS

The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.

What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .

There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.

The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.

In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.

Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.

What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.

You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.

Most Cloud Service Provers could inplement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from /free-download/download-plus-getting-started-with-syspeace/

Your “neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.

By Juha Jurvanen @ JufCorp

#infosec Securing your #WinServ and #MSExchange with an acceptable baseline security

Securing your Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

Syspeace logo

Syspeace logo

Securing Windows Serves with an acceptable baseline security

1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.

2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.

3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.

4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.

5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.

7. Have a good monitoring and inventory system in place such as the free SpiceWorks at http://www.spiceworks.com

8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.

9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.

10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.

11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.

12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have thme read this
http://jufflan.wordpress.com/2012/11/03/remembering-complex-online-passwords/ and on the topic of online passwords and identities also, http://jufflan.wordpress.com/2012/11/03/reflections-on-theft-and-protection-of-online-identity-on-the-internet-who-are-you/

13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/

14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here http://jufflan.wordpress.com/2013/07/15/using-windows-server-backup-20082008-r2-for-a-disaster-recovery-from-a-network-share/

15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/ . I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce prtection for your server in minutes.

If you’re up for it, I’ve written a few other related posts here:

http://jufflan.wordpress.com/2012/10/22/securing-your-server-environment-part-1-physical-environment/
and
http://jufflan.wordpress.com/2012/10/22/securing-server-environments-part-ii-networking/

By Juha Jurvanen @ JufCorp

How to setup syspeace for rdp – intrusion prevention for Windows servers

This is actually just a post based on some of the search terms that have led to people finding this blog.

So,

how to setup syspeace for rdp

..
Actually , it might take you longer to read this blogentry than actualy set it up.

1. Go to the Syspeace website and download the software at /downloads.aspx

2. Read the requiremnets in the manual:

System requirements
Operating system: Windows 7, Windows Server 2003, Windows Server 2008/2008 R2 (32 or 64 bit), Windows Small Business Server SBS 2008 and so on . (We are currently working on the Windows Server 2012 validation and we have tested it successfully but in certain scenarios the source IP address isn’t displayed in the evenlog. This is a Windows Server issue)
.Net 4 (if not installed, it wil be installed for you )
1GB free disk, minimum 500M RAM.
Auditing
Auditing for failed login and successful log in switched on in local security policy or in the group policy for the domain. This will enable events in the event-log that Syspeace listens for.
Firewall
The built-in firewall in Windows must be up and running.

3. Install Syspeace which is quite straight forward

4. Start the GUI and type in a valid mailaddress to get your 30 day free trial license key emailed to you. This emai address is also going to be the account emai you need tp use when purchasing the license.

4. Paste the license number and the GUI will start.

5. By default, the Syspace service is NOT started.

6. Cllick teh Settings button and review the default rules (called the “Catcha all” rule” and alse set up messaging for blocked attacks (whom to alert, whom to emai license inforamtkion and so on )

7. Close the Settings section. Click the “START” butto and you’re done.

Now, your Windows server is instantly protected from brute force and dictionary attacks against youe Exchange Webmail OWA, Terminal Servers on RDP (terminal services, remote desktop services, remote app sessions) and the webinterface called RDWEB, your Sharepoint login , your Citrix server, winlogon services and even more.

There’s really not that much more to it.
Since the intrusion prevention for Syspeace monitor the Windows Server Evnetlog , it doens’t matter if you have set up RDP on other ports or if you are using a proxy. Sysoeace is a HIDS (Host Instrusion Protection System) thus eliminating the need for separate hardware, expensive consulans and redesigning you infrastructure.

Just sit back and start recieving resports and emails when an attack is blocked, tracked and reported.

Preventing and blocking brute force and dictionary attacks in a Windows Server environment with Syspeace

Syspeace is an automated brute force prevention / dictionary attack software that protects Microsoft Windows Servers by monitoring the Windows Authentication mechanisms for unsuccessful logins.

 

This means that you get immediate protection for Microsoft Terminal Server, Citrix, Exchange OWA Webmail , SharePoint, CRM, Terminal Server RDWeb and more, for instance there is also built in protection for Exchange connectors.

Each attack is automatically blocked, tracked and reported and as a system administrator you set up your own rules on when to block and for how long.

Syspeace is easy to install and you’re up & running and protected within minutes of the download. No need for changing your infrastructure, buy costly new appliances or hire specialized consultants.

The Global Blacklist that is shared among all Syspeace installation around the world gives you preemptive protectionfrom well known hackers and ddos attackers, blocking them even before an attack can be initiated.

Syspeace also contain reporting capabilities, giving you the ability to check for failed and successful logins for your servers and separated mail notifcations based on events.

The Syspeace licensing model is very flexible and and targeted to be easily affordable for any company, whether you’re n the SMB segment, a large enterprise or even a large Cloud Service Provider or an outsourcing company.

One of the goals for Syspeace is to become a natural part of every servers installed security mechanisms as part of the baseline security and an important piece of that security work is

Windows 2003 version of Syspeace is underway to also provide brute force and dictiionary atacks prevention for older servers

Try for yourself and see how easy it is

/

Other IT Security aspects

If you’re interested in various aspects of server security questions you might want to check out  http://syspeace.wordpress.com and this blog where there’s quite a few articles on why and how Syspeace can help you with your everyday battle of brute force and dictionary attacks but also a few other guidelines for IT security.

175 000 + brute force attacks on Windows automatically blocked so far by Syspeace

We had a look at the number the other day and since July 15:th we’ve successfully helped system administrators avoid over 175 000 brute force attempts on Windows servers world wide.

One of the key features in Syspeace is the GBL (Global Blacklist) that automatically analyzes and weighs every attack on every Syspeace installation and distributes the ones deemed too recurring to all other installations , thus making each Syspeace protected preemptively when the attacker comes to visit.

Syspeace is designed to automatically block, trace and report the brute force attack , thus giving system administrators less headache with all of the manual steps that has to be done for each attack. This means lower costs for administration and security work.

We thought it might be worth mentioning .

Download your own free 30 day trial at /downloads.aspx

Cheers

 

Juha Jurvanen and the Syspeace team