Troubleshooting Syspeace

An interesting support case came to our attention recently.

A customer claimed that Syspeace wouldn’t block according to the rules.

The bruteforce attacks would continue , even after they should have been blocked.

We checked the ususal culprits (verify that the .Net is fully patched, that the customer is running the latest Syspeace version, verify that logging is enabled and that the firewall is turned on )

The rules were added as expected in the firewall but they didn’t have any effect.

After a lot of troubleshooting the root-cause was found.

The customers server did indeed have the firewall enabled but only in one of the firewall profiles (public, private, domain) and unfortuantely, the network used was not the one the firewall was enabled for, hence, nothing was blocked as expected. The rules were added but did not take effect in the expected amount of time

So, as a general troubleshooting tip , check how your firewall is enabled and verify that it indeed is the correct network profile in there, or, enable the firewall for all three profiles.

The usual troubleshooting tips we give are described in the manual in the troubleshooting section

1. Make sure you’ve enabled the firewall (as described in Firewall), firewall enabled, prefferably on all profiles.

2. Make sure you’ve enabled the auditing (as described in Windows login detection prerequisites).

3. Verify that the server can reach https://s.syspeace.com/ping . (You should see a message saying Hello from Stockholm. and the local time of the server and recommended Syspeace version)

4. In some instances, when running Terminal Server or Remote Desktop Services there’s actually the scenario where the Windows server itself fails to obtain the source IP address of the login attempt (you can verify this by checking the Windows event log and look for Source Network Address: ) Sometimes, that entry is empty, thus disabling Syspeace from actually having anything to block. Syspeace will attempt to corroborate the IP address from some other logs. If it doesn’t find any, there is not much that Syspeace can do.

5. In any applicable firewall or antivirus software, allow Syspeace access to https://s.syspeace.com/ (port 443).

6. Verify any proxy settings, if applicable.

7. Some methods of Windows authentication actually attempts to log in several times. Two failures may be part of one log in attempt. Syspeace has no way of knowing how many attempts were intended and has to work with the actual failures. Due to counting failures instead of attempts, rules may be triggered seemingly ahead of time.

8. One way of quickly verifying functionality is to use a workstation (not whitelisted) and attack your server with the net use command from the command prompt. After the number of tries defined in the current rules, the workstation should be blocked from communicating with the server. Example of the command: net use * \server name or server IP addressanyshare /user:syspeacetester ”anypassword”

9. If you want to submit logs to us, start Syspeace, go to Management → System settings, enable logging and start the service. The log file is created in a subfolder of the Syspeace installation folder.

10. When submitting logs,
Please create a .zip file of the logfiles, include any relevant information from Windows Eventlogs (application, system and security and when applicapble, the Syspeace eventlog ) and also create a .Zip-file of the database and email them directly to the devteam . The email address can be found in the manual

11. If your server doesn’t pick up the source IP address in your eventlog , please have a look a this blog article

12. If your database has grown above the size limit of 4 GB, in the current version ( 2.5.2) you will have to manually delete the database and set up your Syspeace again. in the upcoming version this has been fixed.

by Juha Jurvanen

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

> The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

> If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

#infosec #cloudsecurity #Syspeace – Host Intrusion Prevention Software on an external #Windowsserver #VPS in the #Cloud #IaaS #PaaS

Syspeace – Host Intrusion Prevention Software on an external Windows Server VPS in the Cloud

 

Syspeace - intrusion prevention for Windows servers
Syspeace – intrusion prevention for Windows servers

There are many variations of IaaS / PaaS / Cloud services.
Some are public clouds and some are hybrids and some are private.
There’s also the possibility rent an external VPS and use as a server at quite a few providers nowadays.

The IaaS/PaaS (Infrastracture as a Service/ Platform as a Service) provider gives you acces to a virtual server designed as to your needs when it comes to RAM and storage. Basically, it’s usually an empty server with an operating system.

Running IT solutions on an external VPS decreases the need for hardware investements but there are still things you need to consider and you need to manage your server the same way you would with any physical server i terms of monitoring security and tha availability of services and applications.

Logically, the server is reachable from the Internet which will make it a target.
Anything that is reachable will be targeted for intrusion attempts. The responsibility for Iaas/PaaS provider is simply to provide you with the Hypervisor needed to host you operating system and the rest is up to you. You install the applications, webservers and everything just as you would with a normal physical server.

Some aware Iaas/PaaS/Cloud service provders do have some kind of Appshop/Control panel where you can get preconfigured software such as an antivirus or even Syspeace for intrusion prevention but it’s not that common.

Remember that your VPS shares ”IP-space” with other customers when it comes to the network at your provider and you have absolutely no idea of what your ”neighbors” are doing and if they’re the slightest security aware.
They may hve been hacked without you knowing it (or them either for that matter) and they could have the IP address right next to you and their server could be used for instance for portscanning or hacking attempts against your VPS (if seen this quite a few times now).

Your IaaS/PaaS provider usually wouldn’t know since it’s not their responsibility. Their role is simply to provide you and their other customers with a VPS. Nothing more. No security monitoring, no antivirus, no application / services monitoring
In case of a larger DDoS attack, they probobaly have ways to handle them if it concerns their entire network and affects a lot of their customers but when it comes to attacks speciafically targetet at your VPS and your users on it, it’s a bit trickier.

Imagine the scenario you’ve set up a server, you got your users set up, installed your applications and services and it’s up and running. Now, rermember that there’s no connection nbetween you userdatabase and login mechanisms locally on the VPS and your IaaS/PaaS systems so they’ll actually never even get any alarms if some is trying to brute force your server or your webapplication. They will be alerted in case of a large DDoS attack against their entire netowrk but they will not be alerted in cases of a bruteforce attack targetetd against your VPS.
So, in short, it’s all up to you. There’s no differnce apart from your not running the server in your own datacenter or at a hosting company.

Protecting your Windows Server, Exchange, Terminal Server / RDS, Sharepoint, SQL Server, Citrix and more from intrusion attempts

If your running a Windows server as a VPS you need to set up Syspeace to automatically handle intrusion attempts and have them blocked, tracked and reported againts the Syspeace Global Blacklist.
You also need to secure the server in other ways such as an antivirus, have your services monitored, you webapplication login form secured both from malicios code and from brute force logins (this is also wher Syspeace comes into play since there are plugins available for various webplatforms to use against bruteforce attacks)

Syspeace is an automated Host Intrusion Prevention System (also called a HIPS) and is targeted to protect Windows servers, Exchange and OWA , Sharepoint, Terminal Server / RDS and the RDWEB login, Citrix , SQL Server and more from bruteforce / dictionary attacks. . It is easy to install, and easy to manage and you’ll set it up in a couple of minutes and you’re protected. Instantly.

As I’m writing this, Syspeace has succesfully blocked, tracked and reported over 2 921 200 (2.9 Million) brute force and dictionary attacks against Windows servers worldwide.

Have a look the Syspeace website for a free trial download or keep reading some of the previous articles I’ve written on various securiy aspects on server managagement such as Using various brute force and dictionary attack prevention methods to prevent hackers – and why they don’t work and Securing your #WinServ and #MSExchange with an acceptable baseline security

By Juha Jurvanen @ JufCorp

#infosec VPS and #Cloud servers used for brute force attacks and #botnets against #WinServ and #MSExchange

Syspeace - intrusion prevention for Windows servers
Syspeace website

Is your VPS used for brute force attacks?

or I could also have called this post ”Do you know whom your VPS is hacking today?”

A trend that has surfaced over the years is to simply hire computer power inte the Cloud in various forms and shapes. The basic idea is to get rid of the hardware and maintenance för servers and have someone else take care of it. Also known as Infrastructure aa a Service or IaaS

The problem is often though that even if you use a hosted VPS you still have to manage it. This is something that a lot of users and companies tend to forget or neglect.

What you’ve basically done is simply get rid of the hardware hassle but you still have to take care of the Windows patching and manage security issues as with any Windows serevr (or Linux för that matter) .

There aren’t that many Cloyd services out there that actually will also manage the security and management aspects of your VPS and you really need to think these things through.

The resaon for this post is that for some time now, a VPS located at a Swedish Cloud Service provider has been trying to brute force its way into quite a few different servers with #Syspeace installed on them.
The attacks, targeted aginst RDP / Terminal Servers servers, Exchange Server and Sharepoint Servers in this case, have been blocked, traced and reported automatically but the big question is whether whoever owns/hires this VPS is actually even aware of what is going on ? Or if it’s hired especially for this purpose? This is actuallt impossible to know.

In this specific case this VPS has been going on and on for a while and it has targeted at least 5 different customers of mine with Syspeace installed and about 12 servers at least.
All attacks have been succesfully blocked, tracked and reported and eventually this VPS will end up in the Syspeace Global Blacklist (GBL) and propagated to all other Syspeace installations around the world and it will be blacklisted for all of them, thus securing them preemptively from any brute force / dictionary attacks from this VPS.

Most likely the Cloud Service Provider doesn’t know what’s going on since it’s not their responsibility really. Maybe the user / customer hirong the VPS does this on pyrpose or they have no idea that the VPS has been compromised and is used for this hacking activity. I juyt donät knoew. All I know is that it has been cinducting a lot of dicitionary attacks lately.

What I’m driving at is that if you decide to start using a hosted VPS, you still have the responsibility to manage it as any other server really.
You need to have it correctly patched, have an antivirus on it, make sure all security settings are correct and you need to monitor activity on it.

You should also ask your Cloud Service provider for intrusion prevention from Syspeace since you basically have no idea what all of the other customers VPS are really doing in your shared network since you hae no control over them.

Most Cloud Service Provers could inplement Syspeace in their various Applications portals or have a Syspeace installed in their prepared images for customers. If your providers hasn’t implemented Syspeace yet, you can simply download it yourself from http://www.syspeace.com/free-download/download-plus-getting-started-with-syspeace/

Your ”neighbors” at the Cloud Service could be trying to brute force they way into your VPS and you’d probably wouldn’t have a clue if you haven’t turned on logging and installed a brute foce prevention software for Windows servers.

By Juha Jurvanen @ JufCorp

Another weekly report of prevented intrusions against #Windowsservers by #Syspeace

Reported and blocked intrusion attempts against Windows Server

This is another report generated at a single server for one week. THis isn’t actually a highly targeted server compared to a lot of the servers running Syspeace out there but it does you you an idea of how common it is with dictionary attacks and brute force attacks.
All of these attacks were succesfully blocked, tracked and reported by Syspeace.

If you want to see if your Windows servers, Terminal Servers, Exchange and OWA, Citrix, Sharepoint, SQL server are targeted,  simply download a fully functional 30 day trial of Syspeace and see for yourself.
You might be surprised.

Report for week 2014-02-03 – 2014-02-09

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 5 ; Russian Federation (RU)
31.168.75.16 11 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
37.49.224.172 3 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
77.31.241.106 1 ; Saudi Arabia (SA)
77.72.55.67 1 ; Denmark (DK)
78.40.146.2 7 spider.man.kcahost.co.uk; United Kingdom (GB)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
80.250.173.121 1 ; Russian Federation (RU)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 3 82-166-16-190.barak-online.net; Israel (IL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
83.218.73.146 1 ; Sweden (SE)
85.17.24.130 3 hosted-by.leaseweb.com; Netherlands (NL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
109.247.81.115 1 ; Norway (NO)
117.121.25.16 1 ; China (CN)
119.146.85.18 6 ; China (CN)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
180.96.11.24 1 ; China (CN)
185.2.155.18 10 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 2 ; Austria (AT)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
202.105.224.22 1 ; China (CN)
203.146.30.32 5 ; Thailand (TH)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)
213.243.63.116 1 VCENTERB; Turkey (TR)
217.15.198.140 1 ; Russian Federation (RU)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x5
01
02 x1
03 x4
04 x4
05 x1
06 x3
07 x3
08
09 x6
10 x2
11 x6
12 x6
13 x5
14 x4
15 x7
16 x6
17 x3
18 x5
19 x4
20 x4
21 x4
22 x3
23 x6

– 2014-02-03 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 1 ; Russian Federation (RU)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
78.40.146.2 6 spider.man.kcahost.co.uk; United Kingdom (GB)
80.250.173.121 1 ; Russian Federation (RU)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
109.247.81.115 1 ; Norway (NO)
180.96.11.24 1 ; China (CN)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
213.243.63.116 1 VCENTERB; Turkey (TR)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x2
04
05 x1
06
07 x1
08
09 x1
10 x1
11 x1
12
13 x3
14
15 x1
16 x1
17
18
19
20 x1
21
22
23 x2

– 2014-02-04 —

IP address Times Host name and country
——————– —– ——————————-
37.49.224.172 1 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
117.121.25.16 1 ; China (CN)
119.146.85.18 1 ; China (CN)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06
07
08
09 x1
10
11 x1
12
13 x1
14 x2
15 x1
16 x1
17
18 x1
19
20
21 x1
22
23 x1

– 2014-02-05 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 4 ; Russian Federation (RU)
37.49.224.172 2 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
83.218.73.146 1 ; Sweden (SE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
119.146.85.18 2 ; China (CN)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 1 ; Austria (AT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)

Hourly breakdown (blocks per hour)
00
01
02 x1
03 x1
04 x2
05
06 x2
07
08
09 x2
10
11 x1
12 x3
13
14
15 x3
16
17 x2
18 x3
19 x1
20 x1
21 x2
22 x1
23

– 2014-02-06 —

IP address Times Host name and country
——————– —– ——————————-
77.72.55.67 1 ; Denmark (DK)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
119.146.85.18 2 ; China (CN)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05
06
07
08
09 x1
10
11 x2
12 x1
13
14
15
16
17
18 x1
19 x1
20
21 x1
22
23

– 2014-02-07 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 5 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
119.146.85.18 1 ; China (CN)
202.105.224.22 1 ; China (CN)
217.15.198.140 1 ; Russian Federation (RU)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x1
04
05
06
07 x1
08
09
10
11
12
13
14 x1
15 x1
16 x2
17
18
19
20
21
22
23 x1

– 2014-02-08 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 6 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
77.31.241.106 1 ; Saudi Arabia (SA)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 1 hosted-by.leaseweb.com; Netherlands (NL)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
188.20.178.75 1 ; Austria (AT)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06 x1
07 x1
08
09
10
11
12 x2
13
14
15 x1
16 x2
17
18
19 x1
20 x1
21
22 x1
23 x1

– 2014-02-09 —

IP address Times Host name and country
——————– —– ——————————-
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
78.40.146.2 1 spider.man.kcahost.co.uk; United Kingdom (GB)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 2 hosted-by.leaseweb.com; Netherlands (NL)
203.146.30.32 3 ; Thailand (TH)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x1
01
02
03
04
05
06
07
08
09 x1
10 x1
11 x1
12
13 x1
14 x1
15
16
17 x1
18
19 x1
20 x1
21
22 x1
23 x1

Generated 2014-02-10 00:03:15 for machine ****.****.**** by Syspeace v2.3.1.0

 

By Juha Jurvanen

Syspeace - intrusion prevention for Windows servers

Syspeace website

A walkthrough of getting #Syspeace licenses and how it works

Getting #Syspeace licenses and how it works.

From time to time we get an email from customers that have bought their Syspeace licenses and they ask for the license key that they expect to get in an email.

Here’s a walkthrough of how #Syspeace licensing actually works.

First you install a #Syspeace trial, register a valid email address and choose a password password (this is done in the initial setup of SysPeace ).

The license key is then email to that mailaddress.
This is the key that will also become the live license when you buy the license, There is no separate license key mailed to you if you purchase licenses.

Once you purchase the license, the Syspeace client will automatically be updated upon the next contact with the license server when it requests a new token to validate the license or the next time it is restared.

If you want to extend your Syspeace license to be valid for more servers, simply login to the Syspeace licensing page and extend your license and install Syspeace on the next servers , using the same license key.

When you extend the license, you also have to ability to align license renewals to fit your needs. As an example, if you bought a Syspeace license in april for 3 #Windowsservers and two months later you install an additional server. The easiest way is to extend the running license and simply adding a fourth server. This way you don’t have to have an administrative nightmare in order to rememember various license renewals for diferent servers.

If you’ve bought your license through a reseller such they’ll manage all of the administration for you.

Have a try for yourself and download a free, fully functional trial of Syspeace and have your #Windows #Server, #Exchange and #OWA , #SQL , #Citrix , #Terminal #RD #RDweb , #Sharepoint and more automatically #intrusion protexted in a minute.

#bruteforce attacks and #dictionary attacks blocked, tracked and reported.

So far , #Syspeace has blocked 2 042 900 #intrusion attempts worldwide!

By Juha Jurvanen – Syspeace reseller at JufCorp and independent IT Consultant