Troubleshooting Syspeace

An interesting support case came to our attention recently.

A customer claimed that Syspeace wouldn’t block according to the rules.

The bruteforce attacks would continue , even after they should have been blocked.

We checked the ususal culprits (verify that the .Net is fully patched, that the customer is running the latest Syspeace version, verify that logging is enabled and that the firewall is turned on )

The rules were added as expected in the firewall but they didn’t have any effect.

After a lot of troubleshooting the root-cause was found.

The customers server did indeed have the firewall enabled but only in one of the firewall profiles (public, private, domain) and unfortuantely, the network used was not the one the firewall was enabled for, hence, nothing was blocked as expected. The rules were added but did not take effect in the expected amount of time

So, as a general troubleshooting tip , check how your firewall is enabled and verify that it indeed is the correct network profile in there, or, enable the firewall for all three profiles.

The usual troubleshooting tips we give are described in the manual in the troubleshooting section

1. Make sure you’ve enabled the firewall (as described in Firewall), firewall enabled, prefferably on all profiles.

2. Make sure you’ve enabled the auditing (as described in Windows login detection prerequisites).

3. Verify that the server can reach https://s.syspeace.com/ping . (You should see a message saying Hello from Stockholm. and the local time of the server and recommended Syspeace version)

4. In some instances, when running Terminal Server or Remote Desktop Services there’s actually the scenario where the Windows server itself fails to obtain the source IP address of the login attempt (you can verify this by checking the Windows event log and look for Source Network Address: ) Sometimes, that entry is empty, thus disabling Syspeace from actually having anything to block. Syspeace will attempt to corroborate the IP address from some other logs. If it doesn’t find any, there is not much that Syspeace can do.

5. In any applicable firewall or antivirus software, allow Syspeace access to https://s.syspeace.com/ (port 443).

6. Verify any proxy settings, if applicable.

7. Some methods of Windows authentication actually attempts to log in several times. Two failures may be part of one log in attempt. Syspeace has no way of knowing how many attempts were intended and has to work with the actual failures. Due to counting failures instead of attempts, rules may be triggered seemingly ahead of time.

8. One way of quickly verifying functionality is to use a workstation (not whitelisted) and attack your server with the net use command from the command prompt. After the number of tries defined in the current rules, the workstation should be blocked from communicating with the server. Example of the command: net use * \server name or server IP addressanyshare /user:syspeacetester ”anypassword”

9. If you want to submit logs to us, start Syspeace, go to Management → System settings, enable logging and start the service. The log file is created in a subfolder of the Syspeace installation folder.

10. When submitting logs,
Please create a .zip file of the logfiles, include any relevant information from Windows Eventlogs (application, system and security and when applicapble, the Syspeace eventlog ) and also create a .Zip-file of the database and email them directly to the devteam . The email address can be found in the manual

11. If your server doesn’t pick up the source IP address in your eventlog , please have a look a this blog article

12. If your database has grown above the size limit of 4 GB, in the current version ( 2.5.2) you will have to manually delete the database and set up your Syspeace again. in the upcoming version this has been fixed.

by Juha Jurvanen

How to battle slowgrind #bruteforce attacks against #msexchange #windows server #remotedesktop #sharepoint with #Syspeace

Syspeace automatically blocks attacks that occur according to the rules.
The default rule is that if an intruder fails to login more than 5 times within 30 minutes, the intruders IP address is blocked, tracked and reported for 2 hours and simply is denied any access to the server.

A new trend though has emerged and that is for bruteforce attackers to ”slowgrind” through servers, trying to stay ”under the radar” really from IDS/IPS HIPS/HIDS such as Syspeace.
They’ve got thousands and thousands of computers at their disposal so they’ll basically just try a few times at each server and then move on to next one in the IP range or geographical location hoping not to trigger any alarms or hacker countermeasures in place.

An easy way to battle this is actually simply to change the default rule in Syspeace from the time windows of 30 minutes to for example 5 days.

This way , I’m pretty sure you’ll see there are quite a few attackers that only tried 2 or three times a couple of days ago and they’re back again but still only trying only a few times.

With the ”5 day” windows, you’ll catch and block those attacks too.

Here’s actually a brilliant example of an attack blocked, using a 4 day window.

Blocked address 121.31.114.99() [China] 2014-08-11 15:06:00
Rule used (Winlogon):
        Name:                   Catch All Login
        Trigger window:         4.00:30:00
        Occurrences:            5
        Lockout time:           02:00:00
        Previous observations of this IP address:
        2014-08-11 13:05:51     aksabadministrator
        2014-08-10 22:06:48     aksabadministrator
        2014-08-10 06:39:12     aksabadministrator
        2014-08-09 15:39:52     aksabadministrator
        2014-08-09 00:32:05     aksabadministrator

Syspeace has blocked more than 3 285 300 intrusion attempts against Windows Servers worldwide so far.

Syspeace - intrusion prevention for Windows servers
Syspeace website

Another weekly report of prevented intrusions against #Windowsservers by #Syspeace

Reported and blocked intrusion attempts against Windows Server

This is another report generated at a single server for one week. THis isn’t actually a highly targeted server compared to a lot of the servers running Syspeace out there but it does you you an idea of how common it is with dictionary attacks and brute force attacks.
All of these attacks were succesfully blocked, tracked and reported by Syspeace.

If you want to see if your Windows servers, Terminal Servers, Exchange and OWA, Citrix, Sharepoint, SQL server are targeted,  simply download a fully functional 30 day trial of Syspeace and see for yourself.
You might be surprised.

Report for week 2014-02-03 – 2014-02-09

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 5 ; Russian Federation (RU)
31.168.75.16 11 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
37.49.224.172 3 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
77.31.241.106 1 ; Saudi Arabia (SA)
77.72.55.67 1 ; Denmark (DK)
78.40.146.2 7 spider.man.kcahost.co.uk; United Kingdom (GB)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
80.250.173.121 1 ; Russian Federation (RU)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 3 82-166-16-190.barak-online.net; Israel (IL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
83.218.73.146 1 ; Sweden (SE)
85.17.24.130 3 hosted-by.leaseweb.com; Netherlands (NL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
109.247.81.115 1 ; Norway (NO)
117.121.25.16 1 ; China (CN)
119.146.85.18 6 ; China (CN)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
180.96.11.24 1 ; China (CN)
185.2.155.18 10 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 2 ; Austria (AT)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
202.105.224.22 1 ; China (CN)
203.146.30.32 5 ; Thailand (TH)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)
213.243.63.116 1 VCENTERB; Turkey (TR)
217.15.198.140 1 ; Russian Federation (RU)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x5
01
02 x1
03 x4
04 x4
05 x1
06 x3
07 x3
08
09 x6
10 x2
11 x6
12 x6
13 x5
14 x4
15 x7
16 x6
17 x3
18 x5
19 x4
20 x4
21 x4
22 x3
23 x6

– 2014-02-03 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 1 ; Russian Federation (RU)
46.105.59.195 2 ; France (FR)
50.52.142.2 1 static-50-52-142-2.drhm.nc.frontiernet.net; United States (US)
78.40.146.2 6 spider.man.kcahost.co.uk; United Kingdom (GB)
80.250.173.121 1 ; Russian Federation (RU)
85.234.222.197 1 85.234.222.197.wls.11-bba11has1.adsl.dyn.edpnet.net; Belgium (BE)
109.247.81.115 1 ; Norway (NO)
180.96.11.24 1 ; China (CN)
194.243.151.67 2 rub067.te00.c2.interbusiness.it; Italy (IT)
213.243.63.116 1 VCENTERB; Turkey (TR)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x2
04
05 x1
06
07 x1
08
09 x1
10 x1
11 x1
12
13 x3
14
15 x1
16 x1
17
18
19
20 x1
21
22
23 x2

– 2014-02-04 —

IP address Times Host name and country
——————– —– ——————————-
37.49.224.172 1 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
82.199.95.156 2 STU-09-PC; Netherlands (NL)
117.121.25.16 1 ; China (CN)
119.146.85.18 1 ; China (CN)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.75.83.216 1 ; Iran, Islamic Republic of (IR)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06
07
08
09 x1
10
11 x1
12
13 x1
14 x2
15 x1
16 x1
17
18 x1
19
20
21 x1
22
23 x1

– 2014-02-05 —

IP address Times Host name and country
——————– —– ——————————-
5.141.82.190 4 ; Russian Federation (RU)
37.49.224.172 2 static-37-49-224-172-vstarvps.estroweb.in; Netherlands (NL)
62.20.107.114 1 ns.sdata.se; Sweden (SE)
74.95.168.97 1 74-95-168-97-Philadelphia.hfc.comcastbusiness.net; United States (US)
80.25.156.62 1 62.Red-80-25-156.staticIP.rima-tde.net; Spain (ES)
81.204.76.158 1 ip51cc4c9e.speed.planet.nl; Netherlands (NL)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
83.218.73.146 1 ; Sweden (SE)
90.230.83.147 1 90-230-83-147-no110.tbcn.telia.com; Sweden (SE)
119.146.85.18 2 ; China (CN)
148.160.16.132 1 host16-132.bornet.net; Sweden (SE)
185.2.155.18 5 WIN-LMHRI4L8OR1; Sweden (SE)
188.20.178.75 1 ; Austria (AT)
195.22.37.8 1 pedro.adsllink.cz; Czech Republic (CZ)
195.47.35.37 1 195.47.35.37.adsl.nextra.cz; Czech Republic (CZ)
213.96.201.224 1 224.Red-213-96-201.staticIP.rima-tde.net; Spain (ES)

Hourly breakdown (blocks per hour)
00
01
02 x1
03 x1
04 x2
05
06 x2
07
08
09 x2
10
11 x1
12 x3
13
14
15 x3
16
17 x2
18 x3
19 x1
20 x1
21 x2
22 x1
23

– 2014-02-06 —

IP address Times Host name and country
——————– —– ——————————-
77.72.55.67 1 ; Denmark (DK)
85.225.211.107 1 c-6bd3e155.222-6-64736c12.cust.bredbandsbolaget.se; Sweden (SE)
119.146.85.18 2 ; China (CN)
165.228.5.204 1 tayper1.lnk.telstra.net; Australia (AU)
198.200.30.110 1 198-200-30-110.dia.static.wsisd.net; United States (US)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05
06
07
08
09 x1
10
11 x2
12 x1
13
14
15
16
17
18 x1
19 x1
20
21 x1
22
23

– 2014-02-07 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 5 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
85.30.164.153 1 host-85-30-164-153.sydskane.nu; Sweden (SE)
119.146.85.18 1 ; China (CN)
202.105.224.22 1 ; China (CN)
217.15.198.140 1 ; Russian Federation (RU)

Hourly breakdown (blocks per hour)
00 x2
01
02
03 x1
04
05
06
07 x1
08
09
10
11
12
13
14 x1
15 x1
16 x2
17
18
19
20
21
22
23 x1

– 2014-02-08 —

IP address Times Host name and country
——————– —– ——————————-
31.168.75.16 6 bzq-75-168-31-16.red.bezeqint.net; Israel (IL)
77.31.241.106 1 ; Saudi Arabia (SA)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 1 hosted-by.leaseweb.com; Netherlands (NL)
132.199.96.83 1 pc1011103133.uni-regensburg.de; Germany (DE)
188.20.178.75 1 ; Austria (AT)
203.146.30.32 1 ; Thailand (TH)

Hourly breakdown (blocks per hour)
00
01
02
03
04 x1
05
06 x1
07 x1
08
09
10
11
12 x2
13
14
15 x1
16 x2
17
18
19 x1
20 x1
21
22 x1
23 x1

– 2014-02-09 —

IP address Times Host name and country
——————– —– ——————————-
37.28.157.63 1 d157063.artnet.pl; Poland (PL)
54.251.246.9 2 ec2-54-251-246-9.ap-southeast-1.compute.amazonaws.com; Singapore (SG)
78.40.146.2 1 spider.man.kcahost.co.uk; United Kingdom (GB)
82.166.16.190 1 82-166-16-190.barak-online.net; Israel (IL)
85.17.24.130 2 hosted-by.leaseweb.com; Netherlands (NL)
203.146.30.32 3 ; Thailand (TH)
222.186.32.224 1 mail.mxhichina.com; China (CN)

Hourly breakdown (blocks per hour)
00 x1
01
02
03
04
05
06
07
08
09 x1
10 x1
11 x1
12
13 x1
14 x1
15
16
17 x1
18
19 x1
20 x1
21
22 x1
23 x1

Generated 2014-02-10 00:03:15 for machine ****.****.**** by Syspeace v2.3.1.0

 

By Juha Jurvanen

Syspeace - intrusion prevention for Windows servers

Syspeace website

Intrusion prevention for Windows – Syspeace 2.3.1 released today!

We’re happy to annonunce that we’ve released 2.3.1 today!

The new release fixes some issues with reporting, non English OS, better error handling with communications failure to the license server and other fixes
http://syspeace.com/free-download/version-info/syspeace-231/

See the Syspeace website for a free, fully functional trial for intrusion prevention for Windows Servers, Exchange Servers, SQL Servers , Citrix, Terminal Server and more

Syspeace - intrusion prevention for Windows servers
Syspeace website

Syspeace for internal brute force protection on Windows Servers

After installing Syspeace , the tech guys started getting notifications that their Exchange Server was trying to login to another server and it was rejected. There was no reason for this server to do so whatsoever and it had not been noticed earlier so it’s hard to say when it actually started.

After disabling the whitelist for the LAN at the customer site they started getting mail notifications that every workstation on their LAN was actually trying to login to various servers using various usernames and password, hence a brute force attack/dictionary attack from the inside.

Most likely a trojan has been planted somewhere and it has infected the rest.

This is a fairly simple example of how Syspeace can actually reveal a security breach a customer wasn’t even aware of had occured.

It is totally up to any customer to use whitelists for the LAN but as a precaution, I personnally wouldn’t recommend it since it acutally gives you a great heads up that something has happened if a computer or multiple computers suddenly starts to try and login to servers they’re not supposed to.

As a system administrator, you get the chance to get attack automatically blocked, logged, traced and reported and you can have a closer at the computer responsible for the attack or have a word the user to see what’s going on.

You can even create extensive reports on all activity originating from that user or computer using the Access Reports section in Syspeace to get a more clear view on how long it’s been trying and so on.

Since Syspeace automatically protects failed logins using Winlogon authentication, your Windows servers are also protected from computers/users trying to use the ”net use” or ”map network drive” with invalid logon credentials trying to acces shares they’re not supposed to.

If you don’t have processes in place for scanning logs, saving them and monitoring every login activity, it will become grusome task to even know if there’s something going on at all. You simply won’t have the tools to do so.

Have your own servers run the fully functional Syspeace free trial and see if you get any unexpected login failures from the internal network and from Internet.
You might be surprised.

By Juha Jurvanen

Syspeace

Syspeace 2.3.0 released today – improved support for SQL Server on Windows Server 2003

We’re proud to annonuce the next release of Syspeace today!

For more details, please refer to http://www.syspeace.com/free-download/version-info/syspeace-230/

Provides Windows Server 2003 support for SQL Server-based blocking, a better interface for viewing current and possible blocks and improves behavior when Syspeace servers are unreachable. For more information about all improvements, see the full release notes.

New features
Syspeace now supports SQL Server-based blocking on Windows Server 2003.
The list in the status window has been replaced with a new list, containing a summary of current blocks and suspected upcoming blocks.
Suspected upcoming blocks refers to observed failed logins that have yet to trigger a rule.
For current blocks, the observed failed logins that triggered a rule are shown.
Single IP address entries show the geographical location if available.
The list can be filtered in the bottom left of the window. Current blocks based on observations are always shown. Blacklisted IP addresses can be shown or hidden.
IP addresses can directly be added to the local blacklist, removed from the local blacklist and added to the whitelist from the info pane directly. Current blocks can also be forgiven (the block is removed and the IP address’ failed login record starts over).

Other improvements
When the Syspeace client is started and there are Windows login rules enabled, Syspeace will check to make sure that the current security policy will allow logon failure audit events to be produced and warn if this is not the case. Without this properly set, Syspeace will not be able to detect Windows login failures.
The description for each entry in the local blacklist and whitelist can now be changed without having to recreate the entry.
Duplicate entries for IP addresses can no longer be added in the local blacklist and whitelist.
Syspeace’s behavior and stability when the Syspeace backend and license server is unreachable is improved.
Changes to bring the size of the local database down.
Fixed a bug preventing the removal of the ban corresponding to the last blacklist entry.
Improved migration from Syspeace 1.1.*.