#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange

Syspeace - intrusion prevention for Windows servers
Syspeace website

Is your VPS used for brute force attacks?

or I could also have called this post ”Do you know whom your VPS is hacking today?”

A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS

The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.

What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .

There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.

The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.

In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.

Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.

What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.

You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.

Most Cloud Service Provers could inplement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/

Your ”neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.

By Juha Jurvanen @ JufCorp

#infosec Securing your #WinServ and #MSExchange with an acceptable baseline security

Securing your Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

Syspeace logo
Syspeace logo

Securing Windows Serves with an acceptable baseline security

1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.

2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.

3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.

4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.

5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.

7. Have a good monitoring and inventory system in place such as the free SpiceWorks at http://www.spiceworks.com

8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.

9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.

10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.

11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.

12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have thme read this
http://jufflan.wordpress.com/2012/11/03/remembering-complex-online-passwords/ and on the topic of online passwords and identities also, http://jufflan.wordpress.com/2012/11/03/reflections-on-theft-and-protection-of-online-identity-on-the-internet-who-are-you/

13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why http://syspeace.wordpress.com/2012/10/21/securing-your-webmailowa-on-microsoft-exchange-and-a-few-other-tips/

14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here http://jufflan.wordpress.com/2013/07/15/using-windows-server-backup-20082008-r2-for-a-disaster-recovery-from-a-network-share/

15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the ”classic” methods do not get the job done. Here’s an older blog post on why http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/ . I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce prtection for your server in minutes.

If you’re up for it, I’ve written a few other related posts here:

http://jufflan.wordpress.com/2012/10/22/securing-your-server-environment-part-1-physical-environment/
and
http://jufflan.wordpress.com/2012/10/22/securing-server-environments-part-ii-networking/

By Juha Jurvanen @ JufCorp

#Infosec When and where is Syspeace useful for intrusion prevention ?

In what scenarios Syspeace is useful for preventing brute force attacks? Do I need it if I’ve only got a Windows workstation?

Syspeace - intrusion prevention for Windows servers
Syspeace website

Syspeace is an intrusion prevention software mainly targeted for Windows Servers, SBS Server, RDS TS Servers, RDWeb, Sharepoint Servers, SQL Server, Exchange, Sharepoint, Citrix and so on but it will also run on Windows 7 and above for home use.

To have a real use for Syspeace these conditions need to be met

1. You need to have enabled remote access to your server / workstation.

2. You need to have set up some kind of portforwarding in your external firewall to your server / workstation. If you are for instance on a standard broadband connection and you haven’t done anything with the default rules in your boradband modem, your workstation is probably not reachable from the Internet thus making a Syspeace installation quite unecessary and waste of RAM and COPU for you, minimal of course but still. There is no need to have software installed in any computer environment that actually doesn’t do anything for you. It’s a waste of resources.  

3.The same goes for servers although in a server environment you might want to have Syspeace installed to monitor and handle internal brute force attacks since Syspeace works just as efficently whetheter the attack is externla or internal. It will even block a workstation trying to connect to netowrk shares via the command prompt using ”net use * \servernamesharename” command. Have a look at his entry for instance http://syspeace.wordpress.com/2013/09/25/syspeace-for-internal-brute-force-protection-on-windows-servers/

4. There could be a scenario where you have for instance your own hosted WorPress Blog that is reachable from the Internet . Please refer to http://syspeace.wordpress.com/2013/04/24/syspeace-for-protecting-wordpress-from-brute-force-attacks/ for an idea on brute force prevention for WordPress Blogs.

5. In server envirenments you might have Syspeace installed not only for intrusion prevention but also to have a good reporting on various user login activity that can be viewed and exported in the Access Reports Section.

6. If you’re using mainly Cloud Services or a managed VPS ,the intrusion prevention should be handled by your Cloud Service Provider . Here’s an older blog post on how to have verify how your provider handles hacking attacks : http://syspeace.wordpress.com/2012/11/19/securing-cloud-services-from-dictionary-attacks-hack-yourself/

There is a fully functional, free 30 day trial for download at http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/ .
Give it a try and have your Windows Server instantly protected from dictionary attacks and brute force attacks. The installtion is small, quick and very easu to set up. You’re up & running in 5 minutes and there’s no need to chnage your current infrasctructure, invest in specific and usually expensive hardware or hire external consultants.

By Juha Jurvanen @ JufCorp

Another weekly report of prevented intrusions against #Windowsservers by #Syspeace

Reported and blocked intrusion attempts against Windows Server

This is another report generated at a single server for one week. THis isn’t actually a highly targeted server compared to a lot of the servers running Syspeace out there but it does you you an idea of how common it is with dictionary attacks and brute force attacks.
All of these attacks were succesfully blocked, tracked and reported by Syspeace.

If you want to see if your Windows servers, Terminal Servers, Exchange and OWA, Citrix, Sharepoint, SQL server are targeted,  simply download a fully functional 30 day trial of Syspeace and see for yourself.
You might be surprised.

Report for week 2014-02-03 – 2014-02-09

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 5 ; Russian Federation (RU)
31.168.75.16 11 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
37.49.224.172 3 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
77.31.241.106 1 ; Saudi Arabia (SA)
77.72.55.67 1 ; Denmark (DK)
78.40.146.2 7 spider.man.kcahost.co.uk; United Kingdom (GB)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
80.250.173.121 1 ; Russian Federation (RU)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 3 82-166-16-190.barak-online.net; Israel (IL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
83.218.73.146 1 ; Sweden (SE)
85.17.24.130 3 hosted-by.leaseweb.com; Netherlands (NL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
109.247.81.115 1 ; Norway (NO)
117.121.25.16 1 ; China (CN)
119.146.85.18 6 ; China (CN)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
180.96.11.24 1 ; China (CN)
185.2.155.18 10 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 2 ; Austria (AT)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
202.105.224.22 1 ; China (CN)
203.146.30.32 5 ; Thailand (TH)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)
213.243.63.116 1 VCENTERB; Turkey (TR)
217.15.198.140 1 ; Russian Federation (RU)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x5
01
02 x1
03 x4
04 x4
05 x1
06 x3
07 x3
08
09 x6
10 x2
11 x6
12 x6
13 x5
14 x4
15 x7
16 x6
17 x3
18 x5
19 x4
20 x4
21 x4
22 x3
23 x6

– 2014-02-03 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 1 ; Russian Federation (RU)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
78.40.146.2 6 spider.man.kcahost.co.uk; United Kingdom (GB)
80.250.173.121 1 ; Russian Federation (RU)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
109.247.81.115 1 ; Norway (NO)
180.96.11.24 1 ; China (CN)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
213.243.63.116 1 VCENTERB; Turkey (TR)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x2
04
05 x1
06
07 x1
08
09 x1
10 x1
11 x1
12
13 x3
14
15 x1
16 x1
17
18
19
20 x1
21
22
23 x2

– 2014-02-04 —

IP address Times Host name and country
——————– —– ——————————-
37.49.224.172 1 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
117.121.25.16 1 ; China (CN)
119.146.85.18 1 ; China (CN)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06
07
08
09 x1
10
11 x1
12
13 x1
14 x2
15 x1
16 x1
17
18 x1
19
20
21 x1
22
23 x1

– 2014-02-05 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 4 ; Russian Federation (RU)
37.49.224.172 2 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
83.218.73.146 1 ; Sweden (SE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
119.146.85.18 2 ; China (CN)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 1 ; Austria (AT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)

Hourly breakdown (blocks per hour)
00
01
02 x1
03 x1
04 x2
05
06 x2
07
08
09 x2
10
11 x1
12 x3
13
14
15 x3
16
17 x2
18 x3
19 x1
20 x1
21 x2
22 x1
23

– 2014-02-06 —

IP address Times Host name and country
——————– —– ——————————-
77.72.55.67 1 ; Denmark (DK)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
119.146.85.18 2 ; China (CN)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05
06
07
08
09 x1
10
11 x2
12 x1
13
14
15
16
17
18 x1
19 x1
20
21 x1
22
23

– 2014-02-07 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 5 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
119.146.85.18 1 ; China (CN)
202.105.224.22 1 ; China (CN)
217.15.198.140 1 ; Russian Federation (RU)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x1
04
05
06
07 x1
08
09
10
11
12
13
14 x1
15 x1
16 x2
17
18
19
20
21
22
23 x1

– 2014-02-08 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 6 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
77.31.241.106 1 ; Saudi Arabia (SA)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 1 hosted-by.leaseweb.com; Netherlands (NL)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
188.20.178.75 1 ; Austria (AT)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06 x1
07 x1
08
09
10
11
12 x2
13
14
15 x1
16 x2
17
18
19 x1
20 x1
21
22 x1
23 x1

– 2014-02-09 —

IP address Times Host name and country
——————– —– ——————————-
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
78.40.146.2 1 spider.man.kcahost.co.uk; United Kingdom (GB)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 2 hosted-by.leaseweb.com; Netherlands (NL)
203.146.30.32 3 ; Thailand (TH)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x1
01
02
03
04
05
06
07
08
09 x1
10 x1
11 x1
12
13 x1
14 x1
15
16
17 x1
18
19 x1
20 x1
21
22 x1
23 x1

Generated 2014-02-10 00:03:15 for machine ****.****.**** by Syspeace v2.3.1.0

 

By Juha Jurvanen

Syspeace - intrusion prevention for Windows servers

Syspeace website