Syspeace is a HIPS (Host Intrusion Prevention System) that monitors failed logins attempts on for instance Remote Desktop Servers, Exchange Server, SQL Servers, Winlogon events on Windows Servers from Windows Server 2003 and more and blocks, tracks and reports the attacker based on customazible rules
Sometimes though, the event (Eventid 4625 or eventid 529 and a few other security events we monitor) doesn’t actually contain the source IP address thus leaving Syspeace with nothing to block.
If there’s no IP address to block, it can’t be put into to the Windows Frewall Syspeace rules and the bruteforce attack can continue.
This essentially happens when you switch from RDP layer security to using a certificate.
An article on Stackoverflow might be pointing to a solution though
Here’s a warning though!
If you’re using the RD WEB also to publish Remote Resources.
For some reason , your MAC OS clients will stop recieving Remote Resources since it seems to run on NTLM version 1 (and I would guess Android and XP too )
Also scanners may stop working locally if they need to write files to a newtorks share
I tried a lab with this and when seting the – Network security: Restrict NTLM: Incoming NTLM traffic — Deny all accounts , the remote resources can’t be refreshed.
There are a few warnings when changing this setting and you should investigate if there are applications or services in your server environment that are dependent on LM or NTLM (v1).
I’ve changed the setting on a number of servers and haven’t seen anything stop working but still you should investigate before changing.
An interesting support case came to our attention recently.
A customer claimed that Syspeace wouldn’t block according to the rules.
The bruteforce attacks would continue , even after they should have been blocked.
We checked the ususal culprits (verify that the .Net is fully patched, that the customer is running the latest Syspeace version, verify that logging is enabled and that the firewall is turned on )
The rules were added as expected in the firewall but they didn’t have any effect.
After a lot of troubleshooting the root-cause was found.
The customers server did indeed have the firewall enabled but only in one of the firewall profiles (public, private, domain) and unfortuantely, the network used was not the one the firewall was enabled for, hence, nothing was blocked as expected. The rules were added but did not take effect in the expected amount of time
So, as a general troubleshooting tip , check how your firewall is enabled and verify that it indeed is the correct network profile in there, or, enable the firewall for all three profiles.
The usual troubleshooting tips we give are described in the manual in the troubleshooting section
1. Make sure you’ve enabled the firewall (as described in Firewall), firewall enabled, prefferably on all profiles.
2. Make sure you’ve enabled the auditing (as described in Windows login detection prerequisites).
3. Verify that the server can reach https://s.syspeace.com/ping . (You should see a message saying Hello from Stockholm. and the local time of the server and recommended Syspeace version)
4. In some instances, when running Terminal Server or Remote Desktop Services there’s actually the scenario where the Windows server itself fails to obtain the source IP address of the login attempt (you can verify this by checking the Windows event log and look for Source Network Address: ) Sometimes, that entry is empty, thus disabling Syspeace from actually having anything to block. Syspeace will attempt to corroborate the IP address from some other logs. If it doesn’t find any, there is not much that Syspeace can do.
7. Some methods of Windows authentication actually attempts to log in several times. Two failures may be part of one log in attempt. Syspeace has no way of knowing how many attempts were intended and has to work with the actual failures. Due to counting failures instead of attempts, rules may be triggered seemingly ahead of time.
8. One way of quickly verifying functionality is to use a workstation (not whitelisted) and attack your server with the net use command from the command prompt. After the number of tries defined in the current rules, the workstation should be blocked from communicating with the server. Example of the command: net use * \server name or server IP addressanyshare /user:syspeacetester ”anypassword”
9. If you want to submit logs to us, start Syspeace, go to Management → System settings, enable logging and start the service. The log file is created in a subfolder of the Syspeace installation folder.
10. When submitting logs,
Please create a .zip file of the logfiles, include any relevant information from Windows Eventlogs (application, system and security and when applicapble, the Syspeace eventlog ) and also create a .Zip-file of the database and email them directly to the devteam . The email address can be found in the manual
11. If your server doesn’t pick up the source IP address in your eventlog , please have a look a this blog article
12. If your database has grown above the size limit of 4 GB, in the current version ( 2.5.2) you will have to manually delete the database and set up your Syspeace again. in the upcoming version this has been fixed.
Syspeace automatically blocks attacks that occur according to the rules.
The default rule is that if an intruder fails to login more than 5 times within 30 minutes, the intruders IP address is blocked, tracked and reported for 2 hours and simply is denied any access to the server.
A new trend though has emerged and that is for bruteforce attackers to ”slowgrind” through servers, trying to stay ”under the radar” really from IDS/IPS HIPS/HIDS such as Syspeace.
They’ve got thousands and thousands of computers at their disposal so they’ll basically just try a few times at each server and then move on to next one in the IP range or geographical location hoping not to trigger any alarms or hacker countermeasures in place.
An easy way to battle this is actually simply to change the default rule in Syspeace from the time windows of 30 minutes to for example 5 days.
This way , I’m pretty sure you’ll see there are quite a few attackers that only tried 2 or three times a couple of days ago and they’re back again but still only trying only a few times.
With the ”5 day” windows, you’ll catch and block those attacks too.
Here’s actually a brilliant example of an attack blocked, using a 4 day window.
Blocked address 220.127.116.11() [China] 2014-08-11 15:06:00
Rule used (Winlogon):
Name: Catch All Login
Trigger window: 4.00:30:00
Lockout time: 02:00:00
Previous observations of this IP address:
2014-08-11 13:05:51 aksabadministrator
2014-08-10 22:06:48 aksabadministrator
2014-08-10 06:39:12 aksabadministrator
2014-08-09 15:39:52 aksabadministrator
2014-08-09 00:32:05 aksabadministrator
Syspeace has blocked more than 3 285 300 intrusion attempts against Windows Servers worldwide so far.
What is a brute force attack or dictionary attack really and how would Syspeace help?
Essentially it is someone who is trying to guess the right combination of username and password to gain access into your serveers for example a Microsoft Exchange Serve and the OWA (Outlook Web Access), Terminal Server/RDS (Remote Desktop Server), Sharepoint, SQL Server, Citrix and so on.
The attacker uses automated software to try to guess the right combination to be able to login and steal data or to elevate their rights. One attack can render in thousands of login attempts, it can go on for hours or days and it is a heavy load for the server to handle that in regards of CPU, RAM, network traffic and so on.
Each login request has to validated and checked if it is legitimate or not.
A comparison of a brute force attack and the real world be be this (this is an excerpt from the Syspeace website)
”Imagine that your company has a physical facility. If someone repeatedly tries to gain access with a fake key or invalid key card, you would expect that your security guards would notice and not let the intruder through”
Aren’t there builtin protection into Windows Server against these attacks ?
In short. No.
The only built in mechanisms in Windows Servers are basically the ability to enforce strong passwords and to enable account lockout.
To enable strong passwords is a good thing, even if you’re running an intrusion prevention software for Windows like Syspeace.
If you have easy-to-guess passwords, it won’t really matter what protection you’re sunning since if a login is valid, no software would block it anyway. A valid username and password is always a valid login. So, please ensure you require users to use strong and complex passwords and allow for Syspeace to capture the attack.
The second method , ie. account lockout, might actaully do you more harm than good and here’s why.
If the system you’re protecting is for instance an Exchange Server or an RDS Server and it is probably facing he Intenet to provide service for your users or customers. To figure out a username doesn’t have to be that complicated fo an attacker. They’ll first try to understand the email policy naming convention, scavenge the Internet for metadata and the simply start trying to login using the email address as the username (since this is quite often a valid login name) and try guess to guess the password.
If you’ve enabled the Account Lockout Policy the affected users accounts will be constantly locked since the attacker will automate the attack and try thousands of time for each user they know are in the system.
If you’ve been hit with an attack and it is just from a single IP address, you’d probably just block it in the Windows Firewall (or the external firewall) and unlock the affected users accounts and that’s it. Hopefully you’d also report it.
Now, what if the attack is actually done from hundreds or thousands of computers at the same time ? Blocking them manually isn’t really an option is it ?
One simple and quick solution is to download the fully functional trial of Syspeace , install it and have Syspeace block, track and report the attack.
How can Syspeace help as an Intrusion Prevention for Windows Servers and do I set it up?
The idea behind Syspeace is the ease of use and independence from other software and appliances and also not to enforce a change in your network or infrastructure.
Some systems require you to change your entire infrastructure and put for instance a high performing proxy appliance or server in front of the network. Other systems are bundled with antivruses and other systems, requiring you use consultants and experts to get the systems running.
Syspeace is simply installed on the servers you want to protect. The installation process takes about 4-5 minutes maximum and that’s it. You’re done. The server is protected against brute force attacks. Out of the box.
Th Syspeace GUI is easy to understand and easy to manage. You don’t have to be a security expert to manage Syspeace.
If you want to move a Syspeace license from one server to antoher , that’s also easily done thanks to the floating licensing model within Syspeace. The length of the license can also vary so you’re not forced into buying a 1 year license if you don’t want to . You can a license fo 1 month. or 3 months, Whatever suits your needs.
The pricing of Syspeace is more or less equivavlent to an antivirus and it is a per-server based licensing so it’s not based up on the number of users you’re servicing. 1 license, 1 server. That’s it.
These are some of the features included in Syspeace
Secure login attempts on Windows server
The Windows server is secured by watching the result of the Logon process. If multiple logon attempts fails, actions can be taken. This works on Windows Server 2003 and on and is also automatically protection for Remote Desktop Services, Sharepoint, Exchange OWA, Citrix and basically anthing that renders an eventid of 4635 or eventid 529 (we do monitor more events also)
Secure login to Exchange Serevr SMTP connectors
The Exchange server is usually exposed by the OWA web site that is a part of Exchange. Syspeace not only protects the OWA but also logon attempts made by connectors.
Secure login to SQL Server
Many SQL-server installations expose a logon-possibility either by AD-integration or by logon by using SQL Authentication. Syspeace protects both methods
Multiple customizable rules
Syspeace can be tailored to fit your specific needs by customizing the rule-base. The rules are executed in real-time on all successful and unsuccessful logon attempts and appropriate measures are taken.
Send mail when a block is done
Whenever a block (rule) is entered in the firewall, you have the option to be notified by mail.
Send daily mail with aggregated intrusion information both as plain text and attached CSV file
Each day, there is a summary created that you can have mailed to you or the people that you see will benefit from it.
Send weekly mail with aggregated intrusion information both as plain text and attached CSV file
If the daily summary is too granular, a weekly summary is also available in the same way.
Uses local whitelist
Some computers should never be blocked in your environment. These computers can be listed in a local Whitelist so that Syspeace will never block these IP addresses.
Uses local blacklist
The local blacklist is a opportunity to force a block to a specific set of computers that you never want to connect to your server.
Uses global blacklist
Syspeace comes with a Global Blacklist. This list is maintained by Syspeace central servers and distributed once a day to your Syspeace installation. The Global Blacklist contains computers that have tried to break the security on many other sites that run Syspeace.
Searchable log of login/intrusion attempts
Syspeace have the ability to in a very easy way present information about who is attacking you and when it happened. The data is searchable, aggregated and presented in a matter of a few simple clicks.
View information on why a block was made
A block may be initiated from many different sources. Together with the block is also information stored about the origin. It is always possible to back track a block.
Access report to quickly find related information in the attempt log
The Access report takes the reporting to a new level. Here, it is possible to further aggregate and investigate what happens to your server.
Updates are free and new features are included. We’ve also released the ability write your own Syspeace Detectors thurough the Syspeace API to protect for instance a webapplication or write a special detector for your Windows applications.
Who should use Syspeace then ?
Syspeace isn’t targeted at any special types of environments or companies, we believe that Syspeace is a natural part to use for any server administrator, regardless of if you’re a Cloud Service provider or managing you own servers or if you’re an outsourcing company, hosting company or even if the servers are physical or virtual.
Syspeace can help in any scenario so the short answer is, any system admininstrator managing a Windows Server from Windows Server 2003 and on really.
It is not a ”silver bullet” for security but a piece of the security puzzle we believ you’ll need to ensure the protection of your users or customers and it solves a problem easily that no one hasn’t really been able to handle earlier.
If yuu’re up for reading more about intrusion prevention for Windows Servers, please have a look at the earlier articles written here on this blog or have simply go to the Syspeace website for more information and download a trial.
Syspeace – Host Intrusion Prevention Software on an external Windows Server VPS in the Cloud
There are many variations of IaaS / PaaS / Cloud services.
Some are public clouds and some are hybrids and some are private.
There’s also the possibility rent an external VPS and use as a server at quite a few providers nowadays.
The IaaS/PaaS (Infrastracture as a Service/ Platform as a Service) provider gives you acces to a virtual server designed as to your needs when it comes to RAM and storage. Basically, it’s usually an empty server with an operating system.
Running IT solutions on an external VPS decreases the need for hardware investements but there are still things you need to consider and you need to manage your server the same way you would with any physical server i terms of monitoring security and tha availability of services and applications.
Logically, the server is reachable from the Internet which will make it a target.
Anything that is reachable will be targeted for intrusion attempts. The responsibility for Iaas/PaaS provider is simply to provide you with the Hypervisor needed to host you operating system and the rest is up to you. You install the applications, webservers and everything just as you would with a normal physical server.
Some aware Iaas/PaaS/Cloud service provders do have some kind of Appshop/Control panel where you can get preconfigured software such as an antivirus or even Syspeace for intrusion prevention but it’s not that common.
Remember that your VPS shares ”IP-space” with other customers when it comes to the network at your provider and you have absolutely no idea of what your ”neighbors” are doing and if they’re the slightest security aware.
They may hve been hacked without you knowing it (or them either for that matter) and they could have the IP address right next to you and their server could be used for instance for portscanning or hacking attempts against your VPS (if seen this quite a few times now).
Your IaaS/PaaS provider usually wouldn’t know since it’s not their responsibility. Their role is simply to provide you and their other customers with a VPS. Nothing more. No security monitoring, no antivirus, no application / services monitoring
In case of a larger DDoS attack, they probobaly have ways to handle them if it concerns their entire network and affects a lot of their customers but when it comes to attacks speciafically targetet at your VPS and your users on it, it’s a bit trickier.
Imagine the scenario you’ve set up a server, you got your users set up, installed your applications and services and it’s up and running. Now, rermember that there’s no connection nbetween you userdatabase and login mechanisms locally on the VPS and your IaaS/PaaS systems so they’ll actually never even get any alarms if some is trying to brute force your server or your webapplication. They will be alerted in case of a large DDoS attack against their entire netowrk but they will not be alerted in cases of a bruteforce attack targetetd against your VPS.
So, in short, it’s all up to you. There’s no differnce apart from your not running the server in your own datacenter or at a hosting company.
Protecting your Windows Server, Exchange, Terminal Server / RDS, Sharepoint, SQL Server, Citrix and more from intrusion attempts
If your running a Windows server as a VPS you need to set up Syspeace to automatically handle intrusion attempts and have them blocked, tracked and reported againts the Syspeace Global Blacklist.
You also need to secure the server in other ways such as an antivirus, have your services monitored, you webapplication login form secured both from malicios code and from brute force logins (this is also wher Syspeace comes into play since there are plugins available for various webplatforms to use against bruteforce attacks)
Syspeace is an automated Host Intrusion Prevention System (also called a HIPS) and is targeted to protect Windows servers, Exchange and OWA , Sharepoint, Terminal Server / RDS and the RDWEB login, Citrix , SQL Server and more from bruteforce / dictionary attacks. . It is easy to install, and easy to manage and you’ll set it up in a couple of minutes and you’re protected. Instantly.
As I’m writing this, Syspeace has succesfully blocked, tracked and reported over 2 921 200 (2.9 Million) brute force and dictionary attacks against Windows servers worldwide.
Syspeace WordPress Reporter – Brute force protection detector for WordPress by Syspeace
What is the Syspeace WordPress Reporter?
Syspeace WordPress Reporter is used to collect relevant login data from your WordPress pages
login functionality. The collected data is sent to the Syspeace Web Detector which provides
Syspeace with login attempt information. This means that for the WordPress Reporter to work you
must have the Web Detector installed in Syspeace.
To prevent other websites running on the same server from sending login reports a Reporting
Token is used in the Web Detector Reporter. A reporting token is a password-like feature that is set in Syspeace settings and that value needs to correspond with the reporting token sent by the Web Detector Reporter. Unless they match, the login report is ignored in Syspeace.
How to install the Syspeace Web Detector PHP Reporter
Download the SyspeaceDetectorSDK-v1 and unzip. The Detectors and addons are free and there are also other detectors provixed for you to use in conjuction with webapplication logins for instamce.
How to install:
1. Install the plugin like this:
Put the SyspeaceWordpressReporter.php file in wp-content/plugins/
The file is located in SyspeaceDetectorSDK-v1Web Detector ReportersPHP
2. Activate the plugin by going to the plugin tab of the WordPress admin panel, selecting the
Syspeace WordPress Reporter plugin and clicking Activate.
3. Go to the Syspeace Reporter Settings tab that has been added to your admin panel.
4. Set Reporting Token to the Reporting Token set in Syspeace’s settings
5. Set Website to the name of the website
6. Click Update
How to use the Syspeace WordPress Reporter
To use the WordPress Reporter, simply go to Syspeace Reporter Settings and set Reporter Token to
the Reporting Token set in Syspeaces settings and set Website to the site name you want in the log
Once you have implemented the plugin on your website we suggest that you test i
t by making both failed and successful login attempts. You can then verify if the login attempts are recorded by checking the Syspeace Access Log under Settings Access Log in Syspeace.
What the Syspeace Web Detector PHP Reporter requires
The server running WordPress must have Syspeace installed so you would need to be running a selfhosted WordPress on a Windows Server
You will be required to install a Web Detector Provider in Syspeace as mentioned under
What is Syspeace WordPress Reporter
Additional free brute force plugins by Syspeace
In the .zip file there are also other plugins and documentation on how to write your own Syspeace Detectors and our goal is to release more detectors as they’re written by us or by our Syspeace users around the world.
or I could also have called this post ”Do you know whom your VPS is hacking today?”
A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS
The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.
What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .
There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.
The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.
In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.
Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.
What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.
You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.
Your ”neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.