The default rule of Syspeace is that if an intruder fails to login more than 5 times within 30 minutes, the intruders IP address is blocked, tracked and reported for 2 hours and simply is denied any access to the server.
A new trend though has emerged and that is for bruteforce attackers to “slowgrind” through servers, trying to stay “under the radar” really from IDS/IPS HIPS/HIDS such as Syspeace.
They’ve got thousands and thousands of computers at their disposal so they’ll basically just try a few times at each server and then move on to next one in the IP range or geographical location hoping not to trigger any alarms or hacker countermeasures in place.
An easy way to battle this is actually simply to change the default rule in Syspeace from the time windows of 30 minutes to for example 5 days.
This way, I’m pretty sure you’ll see there are quite a few attackers that only tried two or three times a couple of days ago and they’re back again but still only trying only a few times.
With the “5 day” windows, you’ll catch and block those attacks too.
Here’s actually a brilliant example of an attack blocked, using a 4 day window (IP address and domain name intentionally removed/switched).
Blocked address 198.51.100.120 (*.*.secureserver.net) [China] until 2014-08-11 15:06:00
Rule used (Winlogon):
Name: Catch All Login
Trigger window: 4.00:30:00
Lockout time: 02:00:00
Previous observations of this IP address:
2014-08-11 13:05:51 ****administrator
2014-08-10 22:06:48 ****administrator
2014-08-10 06:39:12 ****administrator
2014-08-09 15:39:52 ****administrator
2014-08-09 00:32:05 ****administrator