Today ( 30th of June 2014) ,we’ll be doing some maintenance on the Syspeace website and backend systems so there will be shorter periods of time when the systems can’t be reached.
This is just a short newsflash that the Syspeace devteam has been working on adding detectors for #Microsoft #IIS FTP server and for #Filezilla FTP server.
Using the Syspeace engine to prevent bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix has proven to be highly efficient and the need for more detectors grows steadily the more users we get.
We’ve blocked,tracked and reported over 3 Million #bruteforce and #dictionary attacks against Windows Servers worldwide so far.
We have a constant dialogue with Syspeace users over mail or Uservoice to see what new detectors our users need and one of the most frequently asked for is FTP support.
If you have ideas for new features or detectors, please join us at Uservoice or drop us an email.
We’ve already publically released the Syspeace API to enable you to write your own webapplication detectors and have Syspeace handle bruteforce attacks for you.
For more information on how to do this, please refer to the Syspeace Detector API page .
Today, we reached a new milestone for Syspeace. We have now blocked, tracked and reported over 3 Million #bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix #SQLserver worldwide!
Syspeace and DDoS attacks
We had a discussion the other day about Syspeace and if it would help in a DDoS attack.
Essentially a DDoS attack is about overloading a server with massive traffic thus making it unreachable for the services the way it is supposed to be.
This can be accomplished in numerous ways.
If for instance 10 000 computers in a botnet are targeted at downloading a specific image or file from a public website without a login, Syspeace would not be the tool for you. Not at the moment anyway. Syspeace is designed to monitor failed login attempts and handle them by custom rules to protect your Windows servers by completely blocking the attacking address in the local firewall. This will protect your server on all ports soo if you other services running on it, they would also be blocked for the attacker.
DOS/DDoS by using Brute force / dictionary attacks and how Syspeace would react
The two different methods in the brute force/dictioanry attack department would be the following.
Single login attempt method
If the same 10 000 copmuters try to login to your server (an Exchange weblogin, RDS/ Terminal Server, Sharepoint, Citrix and so on ) with a brute force / dictionary attack the server would stop responding due to the overload on CPU/RAM and the network would also be filled.
If each and one of these 10 000 computers only tries once to login , Syspeace wouldn’t react since that would esseantially mean that all logins (or IP addresses essentialy) would be blocked at the first thus disabling anyone to login.
If you’re a hosting provider or outsouring provider and you have a number of customers at static IP addresses you could whitelist the customers IP addresses and set up a Syspeace rule to block at one failed login and in that manner have the attacka partially handled by Syspeace.
However, if you’re a Cloud Service provier this won’t work in reality since your customers could be coming from any IP address anywhere.
Multiple login attempt method
The second method would be to have each and everyone of these 10 000 computers constantly trying to login multiple times and such an attack would be blocked by Syspeace.
Bare in mind though, this would not sort out the network being flooded but it would help you protect your server from crashing due to overloaded CPU/RAM usage and it would buy you time to contact your ISP and see if they can help you mitigate the attack (with specific tools or increasing your bandwidth for instance)
To a certain extent , the Syspeace Global Blacklist would probably also have you preemptively protected against some of the IP addresses attacking you already.
If you don’t have Syspeace at all it’s not unlikely you’ll also be having a lot of user accounts locked out if you you’re trying to use lockout policies. Here’s a previous blogpost on why that is
Future features in Syspeace
One of the things we’ve already released are public APIs for customers with their own applications, webapplications and loginforms so we enable them to use the Syspeace engine to easily handle brute force attacks. For more information on how to implement it on your website or appliaction , please refer to the Syspeace Detector API page
We do have some ideas on how also to have Syspeace help in the first scenario (1 login/computer attack) but we’ll get back to you on that after we’ve implemented quite a few new more features and functions that’s already in our roadmap.
To have your Windows servers protected against malicious login attempts and have it set up in minutes without changing your infrasctructure , please visit the Syspeace download page
By Juha Jurvanen
Syspeace – Host Intrusion Prevention Software on an external Windows Server VPS in the Cloud
There are many variations of IaaS / PaaS / Cloud services.
Some are public clouds and some are hybrids and some are private.
There’s also the possibility rent an external VPS and use as a server at quite a few providers nowadays.
The IaaS/PaaS (Infrastracture as a Service/ Platform as a Service) provider gives you acces to a virtual server designed as to your needs when it comes to RAM and storage. Basically, it’s usually an empty server with an operating system.
Running IT solutions on an external VPS decreases the need for hardware investements but there are still things you need to consider and you need to manage your server the same way you would with any physical server i terms of monitoring security and tha availability of services and applications.
Logically, the server is reachable from the Internet which will make it a target.
Anything that is reachable will be targeted for intrusion attempts. The responsibility for Iaas/PaaS provider is simply to provide you with the Hypervisor needed to host you operating system and the rest is up to you. You install the applications, webservers and everything just as you would with a normal physical server.
Some aware Iaas/PaaS/Cloud service provders do have some kind of Appshop/Control panel where you can get preconfigured software such as an antivirus or even Syspeace for intrusion prevention but it’s not that common.
Remember that your VPS shares ”IP-space” with other customers when it comes to the network at your provider and you have absolutely no idea of what your ”neighbors” are doing and if they’re the slightest security aware.
They may hve been hacked without you knowing it (or them either for that matter) and they could have the IP address right next to you and their server could be used for instance for portscanning or hacking attempts against your VPS (if seen this quite a few times now).
Your IaaS/PaaS provider usually wouldn’t know since it’s not their responsibility. Their role is simply to provide you and their other customers with a VPS. Nothing more. No security monitoring, no antivirus, no application / services monitoring
In case of a larger DDoS attack, they probobaly have ways to handle them if it concerns their entire network and affects a lot of their customers but when it comes to attacks speciafically targetet at your VPS and your users on it, it’s a bit trickier.
Imagine the scenario you’ve set up a server, you got your users set up, installed your applications and services and it’s up and running. Now, rermember that there’s no connection nbetween you userdatabase and login mechanisms locally on the VPS and your IaaS/PaaS systems so they’ll actually never even get any alarms if some is trying to brute force your server or your webapplication. They will be alerted in case of a large DDoS attack against their entire netowrk but they will not be alerted in cases of a bruteforce attack targetetd against your VPS.
So, in short, it’s all up to you. There’s no differnce apart from your not running the server in your own datacenter or at a hosting company.
Protecting your Windows Server, Exchange, Terminal Server / RDS, Sharepoint, SQL Server, Citrix and more from intrusion attempts
If your running a Windows server as a VPS you need to set up Syspeace to automatically handle intrusion attempts and have them blocked, tracked and reported againts the Syspeace Global Blacklist.
You also need to secure the server in other ways such as an antivirus, have your services monitored, you webapplication login form secured both from malicios code and from brute force logins (this is also wher Syspeace comes into play since there are plugins available for various webplatforms to use against bruteforce attacks)
Syspeace is an automated Host Intrusion Prevention System (also called a HIPS) and is targeted to protect Windows servers, Exchange and OWA , Sharepoint, Terminal Server / RDS and the RDWEB login, Citrix , SQL Server and more from bruteforce / dictionary attacks. . It is easy to install, and easy to manage and you’ll set it up in a couple of minutes and you’re protected. Instantly.
As I’m writing this, Syspeace has succesfully blocked, tracked and reported over 2 921 200 (2.9 Million) brute force and dictionary attacks against Windows servers worldwide.
Have a look the Syspeace website for a free trial download or keep reading some of the previous articles I’ve written on various securiy aspects on server managagement such as Using various brute force and dictionary attack prevention methods to prevent hackers – and why they don’t work and Securing your #WinServ and #MSExchange with an acceptable baseline security