#infosec How to block an ongoing dictionary attack / brute force attack against Windows Servers, #MSexchange and more

Syspeace - intrusion prevention for Windows servers

Syspeace website

How to block an intrusion attack against Windows Servers for free

If your server or datacenter is targeted by a brute force attack a.k.a dicttionary attacks , it might be hard to figure out how to quickly make it stop.
If the attack is from a single IP address you’d probably block it in your external firewall or the Windows Server firewall and after that start tracking and reporting the attack to see if needs following up.
However, if the attacks is triggered from hundreds or even thousands of IP addresses, it will become basically impossible to block all of them in the firewall so you need something to help you automate the task.

This is where Syspeace comes into play.

Fully functional, free trial for bruteforce prevention

Since Syspeace has a fully functional trial for 30 days, you can simply download it here ,install, regsiter with  a valid mail address, enter the licensekey into the Syspeace GUI and the attack will be automatically handled (blocked, tracked and reported) as soon as the Syspeace service starts up.

In essence, the attack will be blocked within minutes from even connecting to your server.

The entire process of downloading, installing and registering ususally only takes a few minutes and since Syspeace is a Windows service it will also automatically start if the server is rebooted.

If the attack is triggered to use just a few login attempts per attacking IP address and for a longer period of time in between attempts, I’d suggest you change te default rule to monitor for failed logins for a longer triggerwindow , for example 4 days so you’d also automatically detect hacking attempts that are trying to stay under the radar for countermeasure such as Syspeace.

The Syspeace Global BlackList

Since Syspeace has already blocked over 3.6 Million attacks worldwide , we’ve also got a Global Blacklist that is automatically downloaded to all other Syspeace clients.

This means that if an IP address has been deemed a repeat offender (meaning that it has attacked X number of Syspeace customers and Y number of servers within Z amount of tme), the attackers IP address is quite likely to already be in the GBL and therefore it will be automatically blacklisted on all Syspeace-installations, thus making it preemptively blocked.

Syspeace does not simmply disable the login for the attacker, it completely blocks the attacker on all ports from communicating with your server so if you’ve got otther services also running on the server (such as an FTP or SQL Server) the attacker will not be able to reach any if those services either. The lockdown is on all TCP ports.

More Syspeace features, supported Windows Server editions and other services such as Exchange Server, Terminal Server, SQL Server …

You will also get tracking and reporting included immediately for future reference or forensics.
Syspeace supports Windows Server editions from Windows 2003 and upwards, including the Small Business Server editions. It also supports Terminal Server (RDS) and RemoteAPP and RDWeb, Microsoft Exchange Serevr including the webmail (OWA) , Citrix, Sharepoint,
SQL Server and we’ve also released public APIs to use with various weblogins. All of this is included in Syspeace. Out of the box.
We’ve got a IIS FTP server detector in beta and also a FileZilla FTP Server detector and we’re constantly developing new detectors for various server software.

Download and try out Syspeace completely free

Even if you’re not being attacked by a large brute force attack right now, you can still download the trial and have Syspeace handle attacks for you in the background. Who knows, there could be more invalid login attemtpts than you think, such as disabled or removed users that have left the company or very subtle, slow dictioanry attacks going on in the background that actaully might be quite tricky to spot if your not  constantly monitoring logfles.

On this blog, http://syspeace.wordpress.com ,we’ve written a lot of blog articles on how Syspeace works and a lot of other articles regarding securing your servers that we hope you’ll find useful.

#Infosec When and where is Syspeace useful for intrusion prevention ?

In what scenarios Syspeace is useful for preventing brute force attacks? Do I need it if I’ve only got a Windows workstation?

Syspeace - intrusion prevention for Windows servers
Syspeace website

Syspeace is an intrusion prevention software mainly targeted for Windows Servers, SBS Server, RDS TS Servers, RDWeb, Sharepoint Servers, SQL Server, Exchange, Sharepoint, Citrix and so on but it will also run on Windows 7 and above for home use.

To have a real use for Syspeace these conditions need to be met

1. You need to have enabled remote access to your server / workstation.

2. You need to have set up some kind of portforwarding in your external firewall to your server / workstation. If you are for instance on a standard broadband connection and you haven’t done anything with the default rules in your boradband modem, your workstation is probably not reachable from the Internet thus making a Syspeace installation quite unecessary and waste of RAM and COPU for you, minimal of course but still. There is no need to have software installed in any computer environment that actually doesn’t do anything for you. It’s a waste of resources.  

3.The same goes for servers although in a server environment you might want to have Syspeace installed to monitor and handle internal brute force attacks since Syspeace works just as efficently whetheter the attack is externla or internal. It will even block a workstation trying to connect to netowrk shares via the command prompt using ”net use * \servernamesharename” command. Have a look at his entry for instance http://syspeace.wordpress.com/2013/09/25/syspeace-for-internal-brute-force-protection-on-windows-servers/

4. There could be a scenario where you have for instance your own hosted WorPress Blog that is reachable from the Internet . Please refer to http://syspeace.wordpress.com/2013/04/24/syspeace-for-protecting-wordpress-from-brute-force-attacks/ for an idea on brute force prevention for WordPress Blogs.

5. In server envirenments you might have Syspeace installed not only for intrusion prevention but also to have a good reporting on various user login activity that can be viewed and exported in the Access Reports Section.

6. If you’re using mainly Cloud Services or a managed VPS ,the intrusion prevention should be handled by your Cloud Service Provider . Here’s an older blog post on how to have verify how your provider handles hacking attacks : http://syspeace.wordpress.com/2012/11/19/securing-cloud-services-from-dictionary-attacks-hack-yourself/

There is a fully functional, free 30 day trial for download at http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/ .
Give it a try and have your Windows Server instantly protected from dictionary attacks and brute force attacks. The installtion is small, quick and very easu to set up. You’re up & running in 5 minutes and there’s no need to chnage your current infrasctructure, invest in specific and usually expensive hardware or hire external consultants.

By Juha Jurvanen @ JufCorp

Windows server intrusion prevention for hosting providers and cloud service providers with Syspeace

Syspeace - intrusion prevention for Windows servers
Syspeace website

Moving to the cloud or a service provider

The more users and companies start using any kind of external hosted environment, whether it is a cloud serviced VPS, a hosted Exchange, SQL Server or Terminal Server or just a co-located server, the more responsibility will fall upon the service provider to ensure their customers data is protected from unwanted logins and have adequate reporting mechanisms in place.

A service provider will have firewalls in place. They will have monitoring of bandwidth, resource usage, hardware monitoring and probably some antivirus solution but one area that most service provider tend to ignore is intrusion detection on the host level.

PLease refer to this earlier blog post on why the standard methods are NOT adequate for maintain a secure environment, regardless of your a service provider or you host and manage your own servers http://syspeace.wordpress.com/2013/07/11/using-various-brute-force-and-dictionary-attack-prevention-methods-to-prevent-hackers-and-why-they-dont-work-repost/
.

Verify your providers security awareness

I personally encourage any users / companies having their server hosted elsewhere to actually verify how the service provider handles intrusion attempts.

Try using your login name but the wrong password and simply try to login multiple times to for instance the Exchange OWA Webmail or your Terminal Server / Remote Destop / RemoteAPP Server / Sharepoint / Citrix.

What will happen ? Will you be blocked out and automatically handled as an intruder? Is your account locked out ? Are you alerted in any way by your provider that someone has tried to access your account ? If not, you should ask your provider hos this is possible? Isn’t that one of the ideas of having someone else handling your data and security that they also act upon it and have mechanisms in place for it ? Can they provide you with information on for instance from where your account has been logged in for the last 6 months?

Another interesting side of having your servers handled by others is the reporting capabilities.

When you had your servers in-house, you could verify user logins locally (assuming you’ve enabled auditing for it) but once you’ve handed over control of the WIndows server itself or if you’re in a shared environment, this can become quite tricky to get hold of.

Say for instance you want to verify if a specific user has been logged in and actually worked during July and August ? You also want to know from where? Can your service provider get you this information easily? In some cases, probably yes, not easily but with some manual labor and an extra cost for you, they can get parts of the informtion for you.

Are there any statistics provided by your provider on how many intrusion attempts that are actually blocked by them ? Probably not since this could scare customers away if they don’t have the appropriate solutions in place for securing their customers.

Cloud services and moving your servers to hosting providers and managed services are a great way of cutting costs and getting the benefits of shared environments but you should also demand that intrusion detection is in place, that reporting can be easily arranged from the cloud provider or service provider before even considering using external services. The idea is to get a heightened security , not a lowered one.

If you’re talking to a provider, simply ask them if they’ve thought of these questions and if they have, what countermeasures d they use and what processes do they have in place for intrusion attacks?

If they’re not aware of the problems or even worse, ignore them, maybe you should consider talking to another provider or have them take a look at Syspeace.

I personally believe that using Syspeace will become an advantage for any cloud service provider, hosting provider or outsourcing provider and it will cut administrative costs, strengthen security and be a selling pitch for customers that your using Syspeace to protect your customers from intrusion attemts and dictionary attacks.

Syspeace is not specifically targeted for Cloud providers but should be installed on any Windows based server as part of the baseline security, regardless if it’s a physical server or a virtual server.

By Juha Jurvanen – JufCorp

Syspeace license password reset

Hi, all.

As all of you know, we put a lot of effort and work into getting various features and improvements in place to help you protect your Windows 2003/2008/2008R2 and the Windows Server 2012 support coming up , Terminal Servers, Sharepoint Servers, Citrix Servers, Exchange Servers and so on.

We’re just so into making Syspeace the nr 1 product for intrusion prevention for Windows servers and a natural part of any Windows servers baseline security so that’s where our main focus is.

From time to time, our administrative efforts get left behind.

One of the most common questions , acually by far the most common question, emailed to our support is that when you wanted to buy a license for Syspeace, you’d forgotten your password and we provided you with a password reset link manually.
From one point of view, we’re happy to talk to you guys and help you out but of course, a password reset thing should be automated to help you get your licenses as soon as possible.

So, finally, we’ve now implemented a ”Password reset” feature on the licensing page. Simply fill in the emailaddress you used when you registered and a password reset link will be emailed to you.

We’ve also got the instructions more clearly into the email you receive when you buy a license that you actually won’t have to do anything.

The trial license you’re running will be automatically verified as a valid, live license the next time your Syspeace contacts the license server.

So, in short, you won’t have to wait for a license number to be sent to you since you’ve already got it.

PS. As a heads up, we’ll be releasing the SQL Server support and we’re also working on a GUI feature to easily sort, search, find and export various reports to CSV files D.S.

by Juha Jurvanen

Securing Cloud services from dictionary attacks – hack yourself and check your Cloud providers / outsourcing providers security and response

The more we move our data to various Cloud services and to outsourcing companies, we also need to take the consequences into account what that means from a security perspective.

Prior to a move to Cloud services, a company could keep track of how communications are secured, they could set their own account lockout policies and monitor all logfiles in order to keep security at the desired level.

With the popularity of Cloud services becoming more widespread, a lot of the possibilities for this kind of control and tightened security has disappeared. As a Cloud user you rarely get any indication that someone is for instance trying to use your username and password to gain access to your, for instance , your Microsoft Exchange Webmail , also called OWA.

A hacker can probably try to guess your password with a brute force attack or dictionary attack for quite some time and nothing really happens. The protective measures at the Cloud service provider are most likely unknown to you and you will not get a notification of that something might be going on.

An easy way for you to verify this is actually to try hack yourself. By this I mean, try to login to you account but with an invalid password. See what happens. Is your account locked out? Does the OWA disappear for you, indicating your IP address has been locked down by some security countermeasure?
Are you as a customer and user notified and alerted in any way of the attempt? This is of course also a simple test you can do against you own companys webmail if you want to, although the server team won’t like it when you point out the problem.

Keep in mind that it would take quite some time to do each logon manually but hackers don’t do this manually. They use special software for this that is freely available for download and they can render thousands and thousands logon attempts in  few minutes.

From the Cloud Service provider point of view, this has been a big problem for years. Brute force prevention and dictionary attack prevention on especially the Windows server platform has always come with lots of manual labor and high costs so it’s usually not even dealt with.

From the user point of view, there’s not that much you can do about it reslly more than verify what happens if you try and then ask your service provider for a solution if you’re not happy with the result after hacking yourself.

If you’re running Virtual Private Servers (VPS) with Windows you should consider this also but as a Cloud Service provider should.

As an important piece of the puzzle of the security systems that need to be in place, and as a natural part of the server baseline security configuration, have a look at Syspeace , an easy to use, easy to deploy and configure brute force prevention software that automatically blocks the intruders IP address,tracks it and reports it to the system administrator. Without causing the legitimate users account to be locked out and with no manual intervention at all.

Syspeace works by monitoring the servers eventlogs and is triggered by unsuccesful login attempts as alerted by a process called Windows Authentication.

With this method, there is out of the box protection for Citrix, Microsoft Terminal Server, Sharepoint, Exchange Server and more. There is also a Global Blacklist, offering preemptive protection from well known hackers around the world.

If you’re a Cloud Service provider or if you running or hosting any Windows servers you want protected, download a free trial from Syspeace trial download and see for yourself how easily you can get rid of a big problem and, at a low cost.


Posted with WordPress for Android.
Juha Jurvanen
Senior IT consultant in backup, server operations, security and cloud. Syspeace reseller in Sweden.

JufCorp