Syspeace 3.0.0

January 10, 2018

Syspeace 3.0.0 contains many new features, user interface improvements, performance improvements and bug fixes.

Country blocking

  • Added a way for Syspeace to instantly block an attacker from a particular country or region as soon as the first detectable login attempt happens.
    • The detection will happen whenever a login attempt is detected with one of the supported detectors – Windows login, SQL Server, SMTP Exchange or any extra or third-party detectors that may be installed.
    • Traffic outside of these detectors – like web traffic or pings – will not trigger this country detection.
    • The particular countries to block are defined by adding rules in Settings -> Country rules.
    • When a particular IP address is blocked due to country blocking, this block will expire after a fixed amount of time, also defined in each rule.
    • The icon of a block in the main window will be the country flag if a country block has been involved.
    • The GeoLite2 database from MaxMind is used to provide local IP-address-to-country lookups.
    • The database is automatically updated when a new version is available, assuming the MaxMind update server is reachable.
    • Overrides to the data can be added manually in Settings -> GeoIP data overrides. Note that overrides are effective as new traffic comes in, but does not change the country of already recorded login attempts.
    • Internal and reserved addresses are explicitly logged as the pseudo-countries Internal and Reserved.

User interface and other user experience improvements

  • Syspeace now includes a Live observations settings pane to see login attempts as they are detected by Syspeace.
  • Syspeace now attempts to detect and warn about the situation where the Windows Firewall is managed by third-party software. In these cases, the third-party software is likely to ignore rules added by Syspeace. When on the Automatic setting for Blocking provider, this causes Syspeace to fall back to the IP Security Policy blocking provider, which works.
  • Deleting a detector rule or country rule now requires confirmation.
  • Syspeace now logs on startup.
  • Syspeace logs more of the RDP + Windows login event matching process.
  • Syspeace now notes in the Stop mail message and event when the service is stopped by a Stop button press in the Syspeace client.
  • The reports/messages that are sent when a block is added or removed are now called “block is added/removed” instead of “rule is added/removed”. Rule referred to firewall rule, used as blocking instructions, but was confusing because of Syspeace’s own rules which were not involved.
  • Many small improvements to user interface across IP links, Access log, Export settings, etc.
  • Added Acknowledgements of other code, resources and data sources.
  • Fix validation of SMTP settings to ensure the “Send from” setting is a valid email address.
  • Syspeace now prevents saving rules when the failure window or lockout duration exceeds 20 days. Existing rules are automatically capped to 20 days. Syspeace 2.x’s engine has never allowed blocks longer than this to be consistently maintained, so this limit reflects actual behavior.
  • The IP information panel that appears when you click green underlined IP addresses or ranges now contains the resolved DNS hostname for internal addresses and has buttons to copy the IP address or (for ranges) CIDR masks.

Performance and accuracy improvements

  • RDP event logs are now interpreted with a higher degree of accuracy.
  • Traffic-based IP detection for RDP is now improved, detects failures even if a TLS Encrypted Alert packet is not involved, detects successful logins and handles cases where not all network interfaces allow access to the traffic (such as with some VPN interfaces). It is now also available on Windows Server 2012 and 2012 R2.
  • When using the IP Security Policy blocking provider, the blocking instructions are updated significantly quicker.
  • When using the Windows Firewall blocking provider, fewer rules are kept (grouped based on the starting byte in the IP address) and updated more efficiently.
  • Memory usage optimized when checking IP addresses against the whitelist.
  • The repeated process to pair RDP events with Windows login events now does not run unless there are events to match.
  • Syspeace now does not record login attempts originating from loopback addresses in the block 127.0.0.0/8, such as 127.0.0.1, since it will be impossible to block traffic from the computer’s own loopback interface.

Fixes

  • Fixed a potential crash when Syspeace was processing information about the login attempts for an IP address when new login attempts were being recorded.