About Syspeace and it’s background

By Juha Jurvanen
Senior IT consultant in backup, IT security, server operations and cloud

Juha Jurvanen, Product Manager @ Syspeace CTO and Cloud Arctitect @ Red Cloud iT Independent consultant in backup, server operations, security and cloud @ JufCorp
Pic of Juha Jurvanen, Product Manager of Syspeace

The goal with Syspeace is to simplify security management and prevent brute force hacking, primarily in Microsoft Windows Server environments and is targeted at system administrators that manage servers, either ther own ones or for external customers or even in data centers such as cloud service providers.
Syspeace automates intrusion attempts, brute force attempts,  (eventid 4625) on Microsoft Exchange servers (including the OWA interface and protecting the receive connectors) , Microsoft Terminal Servers and basically any Windows server that uses Windows Authentication such as Sharepoint, Exchange, Terminal Server, Citrix, SQL Server and so on.Around the clock. .

Background and history
The background of the product is that within the Swedish-based cloud service, rCloud Office , from Red Cloud IT where I was the Cloud Architect and CTO , the realization of how many excessive login attempts generating eventid 4625 (failed login , unknown username or password ) from all around the world there really was and that this needed to be automated in aspects of the  administration of it and to tighten security since no brute force prevention is built into Windows. I also quickly realized that none of the other Cloud Service providers has any of this in place and this scared me.

A single attack could render in 5000-6000 login attempts and go on for 2-3 hours. This was a waste of bandwidth, server RAM and CPU since each login-attempt had to be validated and there was always the fear of someone actually succeeding to login or that a user account could be blocked out deliberately just to cause a DOS for the services.

For each brute force attempt most labour was manual and time consuming 

  • First, the log files had to be checked in Windows Server eventlog.
  • Second , the attack had to be manually blocked the incoming IP adress in the firewall.
  • As a third step attacker had to be traced with TRACERT and NSLOOKUP and WHOIS to determine from where it originated and decide when it would be suitable to handle it as a police matter or not.

At night, no one actually could handle an attack so it would be managed the next day which left us vulnerable during off-hours.

Of course this manual labour took quite some time the realization came quickly that it would become an absolute nightmare in the end if something wasn’t done. All customer expect these countermeasures to in place.

The need for something to automatically block the intrusion attempt, notify us the IP address and from where the attack was made popped up

I started searching the Internet for a cost effective, easily administered with  graphical interface and  yet effective solution.

There were a few simple script solutions out there but unfortunately, none of them really matched what was to be accomplished  i.e. block the intrusion attempt based on rules, track down the attacker geographically and unblocking the IP automatically and reporting the attack.

It had to have the ability to easily manage WHITE LISTS, preemptive BLACK LIST,  handle SMTP AUTH attacks and quite a few other features as well that just couldn’t be accomplished with scripts. It had to be easy to use with a graphical management interface to keep the administration and the learning process to a minimum and the autoblocker had to run as an integrated Windows service for optimal performance.

The idea and concepts takes shape

I came up the idea and a concept on how to get the job done, wrote down a few technical ideas and specs, wrote some proof of concepts  and thought about the idea and how to actually accomplish it and came across the guys of the Syspeace develepment team at Treetop and work began. Since I’m not a developer myself, I thought I’d leave the hardcore development to people who actually know what they’re doing.
I’m the guy with concepts and ideas but when it comes to actually writing code.. well.. I’m not a first hand choice. I’ve got a few a more ideas up my sleeve but let me get back to you on that 🙂

After the first alpha test we also realized quickly we needed to add some more intelligence to it as,  for instance, if an IP fails to log in x number of times during x amount of time and then succeeds, the system shouldn’t remember it as a possible attacker and be blocked further down the road for a failed attempt. People are still human and sometimes people type in the wrong password. A lot of work has beent put into the intelligence ”under the hood” of Syspeace.

We also realized that the software works just as well protection your servers from LAN connections, giving you a better understanding of what really goes on woith your users and if someone on your LAN is trying to access resources they’re not supposed to or if someone has been infected with some kind of brute force – virus.

Syspeace today

Today, we get an email stating from where the attack originated (the DNS name if found, the IP address and from which country the attack originated). We’ve got reporting, separated mail notifications depending on events and we’re adding more and more features all the time.

We also get username that was tried which is extremely helpful since we immediately can see if it is just ”background noise attack” or if it is targeted specifically  or even worse, a competitor tries to login to the central systems without explicit permission or an ex-employee/ex-customer  is trying to access an account that they no longer are authorized to.

See for yourself and download a free trial

Have a look at the Syspeace website to see what we came up with and download a free trial for yourself.

So far Syspeace has successfully blocked over 2,5 Million  brute force attacks worldwide and I dare say it has decreased the workload for quite a few system administrators out there.
Syspeace supports Windows Servers 2003 – 2012 R2.

Juha Jurvanen

Senior IT consultant in backup, IT security, server operations and cloud

Syspeace - brute force protection for Windows servers
Syspeace – brute force protection for Windows servers
Annonser

Kommentera

Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut / Ändra )

Twitter-bild

Du kommenterar med ditt Twitter-konto. Logga ut / Ändra )

Facebook-foto

Du kommenterar med ditt Facebook-konto. Logga ut / Ändra )

Google+ photo

Du kommenterar med ditt Google+-konto. Logga ut / Ändra )

Ansluter till %s