#msexchange Brute force attacks prevention on #Webmail #OWA with #Syspeace #hacking #security

Syspeace icon
Syspeace icon

Preventing brute force attacks against Microsoft Exchange Server and OWA Webmail

If you’re running Microsoft Exchange Server your also quite likely to have the Microsoft Exchange OWA (Webmail)
interface up & running to enable your users to use Activesync and access their email, calendars and contacts
over an easy-to-use web interface accessible over the Internet. This is just as relevant if you’re managing your
own Exchange Server or if it is a hosted Exchange at a service provider. If your provider doesn’t have a
solution for this, you may find yourself in a very difficult situation one day as explained further down.
Since the Exchange Webmail (OWA) is reachable and visible over the Internet, this of course also means that
anyone is able to try to log in to your Exchange server over the same OWA interface. They may not succeed to
login but they may try to overload your server by sending lots of login request or have your users undergo a
Denial of Service attack (a DoS attack).

Brute force attacks used as Denial of Service attacks

The OWA in itself (or does Windows Server for that matter) doesn’t have any brute force prevention mechanisms
built into it but the actual user validation is done within the Active Directory infrastructure by your domain
controller(s). Within the Microsoft line of products this is actually true for most of them such as Terminal
Server (RDS, Remote Desktop), Sharepoint, SQL Server and so on and also for Citrix since user validation is done
in the same way.
If you have for instance set up Account Lockout Policies to disable a user account after 5 failed attempts ,
anyone with knowledge of your name standards (email addrees, AD login) can basically run a script against the
server using a specicif username (or hundreds of them) and deliberatley usoing wrong passwords, thus locking the
legitimate users account and disabling them from loging in at all (in essence, they can’t even login to anything
that uses the Active Directory validation, not even their own workstations in the Office)
If such an attack is made from a single IP address, it is fairly easy to block it manually (simply block the
attack in either the external firewall or the local firewall of the Exchange server).
In reality though, this is not how such an attack occurs. Should someone really want to disrupt ypur services,
they will do this from hundreds or thousands computers at the same time and making it impossible to block
manually.

Using Syspeace as a countermeasure

With Syspeace , this is all taken care of automatically. Syspeace monitors the Windows Serevr logs for failed
login requests and if an IP address tries to login against your servers ( Exchange, Terminals Server and so on)
and fails for instance 5 times within half an hour, the IP address is automatically blocked from communicating
at all with the affected server on any level (so if you’re also running other services , they will not be able
to target them either once blocked).
Each attack is blocked, traced and reported via email that contains the source IP address, the username used,
country of origin and previous attacks from the same IP address.

Here is actually an example of how the email notification looks like (with IP address and domain name intentionally removed)
Blocked address *.*.*.* (ip-*-*-*-*.*.secureserver.net) [United States] 2015-01-14 18:45:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 4.00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2015-01-14 16:44:50 ****lab
2015-01-14 16:44:52 ****labroator
2015-01-14 12:53:44 ****ron
2015-01-14 12:53:46 ****demo
2015-01-14 12:53:48 ****canon

Syspeace also delivers daily and weekly reports of blocked threats.

Within Syspeace, there is also reporting tools for access reports, a Global Blacklist for infamous offenders and
much more.

Installing and setting ups Syspeace

Setting up Syspeace is very easy and only takes a couple of minutes, without the need for changing your
infrastructure or bying very expensive dedicated hardware. Most likely , you will not even need to hire a
consultant for it.

Syspeace runs as Windows Service and support a variety of Windows Servers such as Terminal Server, Exchange Server, Sharepointm Windows Serevr 2003 to Windows Serevr 2012 R2 and more and it starts detecting brute force attacks immediately after you set it up and press the start button.

Please download a free, fully functional 30 trial from http://www.syspeace.com/free-download/download-plus-
getting-started-with-syspeace/
and see for yourself how a very big problem can be very easily solved.
Should you decide to keep using Syspeace, the licensing cost is equivalent to an antivirus product and the
licensing model is highly flexible, enabling you to decide for yourself ofor how long you wish to run Syspeace.

Syspeace - intrusion prevention for Windows servers
Syspeace website

#infosec How to block an ongoing dictionary attack / brute force attack against Windows Servers, #MSexchange and more

Syspeace - intrusion prevention for Windows servers

Syspeace website

How to block an intrusion attack against Windows Servers for free

If your server or datacenter is targeted by a brute force attack a.k.a dicttionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.
However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 3.6 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simmply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Serevr including the webmail (OWA) , Citrix, Sharepoint,
SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not  constantly monitoring logfles.

On this blog, http://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

#infosec #security About using #Syspeace against #DDoS attacks for #sysadmin

Syspeace - intrusion prevention for Windows servers
Syspeace website

Syspeace and DDoS attacks

We had a discussion the other day about Syspeace and if it would help in a DDoS attack.

Essentially a DDoS attack is about overloading a server with massive traffic thus making it unreachable for the services the way it is supposed to be.

This can be accomplished in numerous ways.

If for instance 10 000 computers in a botnet are targeted at downloading a specific image or file from a public website without a login, Syspeace would not be the tool for you. Not at the moment anyway. Syspeace is designed to monitor failed login attempts and handle them by custom rules to protect your Windows servers by completely blocking the attacking address in the local firewall. This will protect your server on all ports soo if you other services running on it, they would also be blocked for the attacker.

DOS/DDoS by using Brute force / dictionary attacks and how Syspeace would react

The two different methods in the brute force/dictioanry attack department would be the following.

Single login attempt method

If the same 10 000 copmuters try to login to your server (an Exchange weblogin, RDS/ Terminal Server, Sharepoint, Citrix and so on ) with a brute force / dictionary attack the server would stop responding due to the overload on CPU/RAM and the network would also be filled.

If each and one of these 10 000 computers only tries once to login , Syspeace wouldn’t react since that would esseantially mean that all logins (or IP addresses essentialy) would be blocked at the first thus disabling anyone to login.

If you’re a hosting provider or outsouring provider and you have a number of customers at static IP addresses you could whitelist the customers IP addresses and set up a Syspeace rule to block at one failed login and in that manner have the attacka partially handled by Syspeace.
However, if you’re a Cloud Service provier this won’t work in reality since your customers could be coming from any IP address anywhere.

Multiple login attempt method

The second method would be to have each and everyone of these 10 000 computers constantly trying to login multiple times and such an attack would be blocked by Syspeace.

Bare in mind though, this would not sort out the network being flooded but it would help you protect your server from crashing due to overloaded CPU/RAM usage and it would buy you time to contact your ISP and see if they can help you mitigate the attack (with specific tools or increasing your bandwidth for instance)

To a certain extent , the Syspeace Global Blacklist would probably also have you preemptively protected against some of the IP addresses attacking you already.

If you don’t have Syspeace at all it’s not unlikely you’ll also be having a lot of user accounts locked out if you you’re trying to use lockout policies. Here’s a previous blogpost on why that is

Future features in Syspeace

One of the things we’ve already released are public APIs for customers with their own applications, webapplications and loginforms so we enable them to use the Syspeace engine to easily handle brute force attacks. For more information on how to implement it on your website or appliaction , please refer to the Syspeace Detector API page

We do have some ideas on how also to have Syspeace help in the first scenario (1 login/computer attack) but we’ll get back to you on that after we’ve implemented quite a few new more features and functions that’s already in our roadmap.

To have your Windows servers protected against malicious login attempts and have it set up in minutes without changing your infrasctructure , please visit the Syspeace download page

By Juha Jurvanen

#Infosec When and where is Syspeace useful for intrusion prevention ?

In what scenarios Syspeace is useful for preventing brute force attacks? Do I need it if I’ve only got a Windows workstation?

Syspeace - intrusion prevention for Windows servers
Syspeace website

Syspeace is an intrusion prevention software mainly targeted for Windows Servers, SBS Server, RDS TS Servers, RDWeb, Sharepoint Servers, SQL Server, Exchange, Sharepoint, Citrix and so on but it will also run on Windows 7 and above for home use.

To have a real use for Syspeace these conditions need to be met

1. You need to have enabled remote access to your server / workstation.

2. You need to have set up some kind of portforwarding in your external firewall to your server / workstation. If you are for instance on a standard broadband connection and you haven’t done anything with the default rules in your boradband modem, your workstation is probably not reachable from the Internet thus making a Syspeace installation quite unecessary and waste of RAM and COPU for you, minimal of course but still. There is no need to have software installed in any computer environment that actually doesn’t do anything for you. It’s a waste of resources.  

3.The same goes for servers although in a server environment you might want to have Syspeace installed to monitor and handle internal brute force attacks since Syspeace works just as efficently whetheter the attack is externla or internal. It will even block a workstation trying to connect to netowrk shares via the command prompt using ”net use * \servernamesharename” command. Have a look at his entry for instance http://syspeace.wordpress.com/2013/09/25/syspeace-for-internal-brute-force-protection-on-windows-servers/

4. There could be a scenario where you have for instance your own hosted WorPress Blog that is reachable from the Internet . Please refer to http://syspeace.wordpress.com/2013/04/24/syspeace-for-protecting-wordpress-from-brute-force-attacks/ for an idea on brute force prevention for WordPress Blogs.

5. In server envirenments you might have Syspeace installed not only for intrusion prevention but also to have a good reporting on various user login activity that can be viewed and exported in the Access Reports Section.

6. If you’re using mainly Cloud Services or a managed VPS ,the intrusion prevention should be handled by your Cloud Service Provider . Here’s an older blog post on how to have verify how your provider handles hacking attacks : http://syspeace.wordpress.com/2012/11/19/securing-cloud-services-from-dictionary-attacks-hack-yourself/

There is a fully functional, free 30 day trial for download at http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/ .
Give it a try and have your Windows Server instantly protected from dictionary attacks and brute force attacks. The installtion is small, quick and very easu to set up. You’re up & running in 5 minutes and there’s no need to chnage your current infrasctructure, invest in specific and usually expensive hardware or hire external consultants.

By Juha Jurvanen @ JufCorp