Tutoriel Exchange 2019 - CrowdSec

Installation of CrowdSec to protect an Exchange server



I. Presentation

In this tutorial, we will see how to secure a Microsoft Exchange mail server with the CrowdSec collaborative firewall! Installing CrowdSec on a Microsoft Exchange server will allow protect against common attacksbut also against new threats.

For example, I am thinking of the security breach ProxyNotShell which made headlines in October 2022: CrowdSec is able to detect exploit attempts and block malicious IP addresses, thanks to the fact that it exists a collection for IIS and attacks based on HTTP/HTTPS protocols. We can also cite more classic cases: a brute force on the Exchange webmail interface.

By virtue of its function, an Exchange server will be more or less exposed to the Internet depending on the architecture of your IS (for example, the presence or absence of a reverse proxy). However, he needs to be able communicate outward and D’be reachable from outside pour send and receive emails to your users’ mailboxes.

This same server will also be reachable viaa Webmail which allows users to check their emails from a browser. This implies the presence ofan IIS web serverwhich hosts both Webmail and Centre d’administration d’Exchange. Moreover, when an Exchange server is compromised in the context of a cyberattack, this mainly involves HTTP/HTTPS access: hence the interest in protecting yourself.

CrowdSec Windows - Protect OWA
Overview of Exchange Webmail (OWA)

This article follows on from my first article on installing an Exchange Server 2019 server. For the installation of Microsoft Exchange Server itself, I invite you to read my previous tutorial:

In addition, I also encourage you to restrict access to the Exchange admin center:

II. Setting up CrowdSec on Windows

A. Installation de l’agent CrowdSec

I already mentioned installing CrowdSec on Windows in a previous article, but that was the Alpha version. Now, the CrowdSec agent for Windows is available in stable version, which means that it is ready to be implemented in production.

Note : if you have installed the alpha version on your server, you must uninstall CrowdSec before installing this new version.

First of all you have to download the MSI package on the official CrowdSec GitHub repository.

During installation, the CrowdSec MSI package will perform the following actions:

  • Installing CrowdSec itself
  • Windows Collection Integration (details are available here)
  • Registering the CrowdSec instance with the Central API
  • Registration of the CrowdSec service within Windows (automatic start)

Once done, start the installation. Just follow the steps without making any changes… Then, allow about 2 minutes for the agent installation.

Install CrowdSec on Windows for Exchange Server

As soon as the CrowdSec agent is in place, we have access to the “cscli” command line which allows you to manage your CrowdSec instance from the command line.

To list current collections:

cscli collections list

To list the current bouncers (none by default):

cscli bouncers list

CrowdSec Windows - List collections and bouncers

B. Installation de la collection IIS

On Windows, CrowdSec natively sets up the “crowdsecurity/windows“, but it’s not enough to protect our Exchange server. We need to add the collection for IIS, which will implicitly add two more collections to detect web attacks.

This collection is installed from this command:

cscli collections install crowdsecurity/iis

A few seconds later, we can list the installed collections in order to see the presence of the new collections.

CrowdSec Windows - Lister les collections

Moreover, to justify what I said in the introduction about the ProxyNotShell vulnerability, we can look at the detail of the “crowdsecurity/http-cve” collection. Here, we can see the presence of a detection scenario named “crowdsecurity/CVE-2022-41082” corresponding to this vulnerability.

cscli collections inspect crowdsecurity/http-cve

CrowdSec Windows - http-cve collection details

Let’s go to the next step.

C. Installation du bouncer firewall Windows

We must set up the “firewall” bouncer for Windows, otherwise attacks will be detected, but not blocked. Click on the link below, then on the “Download” button to download the MSI package.

The installation is done in a few clicks: just follow the wizard.

CrowdSec Windows - Installation du bouncer firewall

Once it is finished, the command below will make it possible to visualize the presence of the bouncer.

cscli bouncers list

CrowdSec Windows - Lister les bouncers

Let’s go to the next step.

D. Add IIS log support

For CrowdSec to be interested in the logs generated by IIS, and by extension corresponding to access to the OWA and ECP portals of Exchange, we must indicate to it the paths to the log files to analyze.

You need to edit the following file:

C:\ProgramData\CrowdSec\config\acquis.yaml

To add the following lines after:

---
use_time_machine: true
filenames:
  - C:\inetpub\logs\LogFiles\*\*.log
labels:
  type: iis

You can see the presence of a “dynamic” path which is characterized by the presence of the wildcard character: “C:\inetpub\logs\LogFiles\*\*.log “. This value will allow CrowdSec to find and read log fileslocated in the tree “C:\inetpub\logs\LogFiles\

Exchange – CrowdSec – Config YAML IIS Beyond the path to the log files, this configuration block that we just added contains a parameter nameduse_time_machine

. It is important because IIS does not write real-time logs to the log file, but writes new events in bulk, every minute. Thanks to this parameter, CrowdSec will read the date and time of each line to identify and process the events chronologically, this avoids false positives.

---
source: wineventlog
event_channel: Microsoft-IIS-Logging/Logs
event_ids:
  - 6200
event_level: information
labels:
  type: iis

On the other hand, if you do not use the log files, but the event viewer, you must use this piece of code and not the one mentioned above:

Save the acquired.yaml file and you can close it.

Restart-Service crowdsec

Finally, we need to restart the CrowdSec service. This is done in PowerShell with this command:

CrowdSec setup is complete! Now let’s test our protection system!

III. Is the Exchange server protected?

A. Brute force on OWA – Webmail Exchange To perform a brute force attack on OWA, there are several possible methods. Of course, one could do this manually for testing, but one could also use something a bit more automated tosimulate a brute force attack . Thus, we will use a Bash script named “OWA BRUTE” who executes Hydra(an offensive tool compatible with many protocols to test authentication to a service, equipment, etc. ) with specific parameters corresponding toOutlook Web Access

.

The script is available on GitHub at the following address: First of all we have toinstall Hydra and Git

sudo apt-get update
sudo apt-get install hydra git

. The first is a prerequisite for using the script and carrying out our attack, while the second will be used to clone the GitHub repository to retrieve the Bash script (you can also copy and paste the script into a file…).

cd /home/florian/
git clone 

Once it’s done, we clone the GitHub project in “/home/florian”:Then, we create a file “users.txt

nano /home/florian/owabrute/users.txt

CrowdSec Windows – Files with usernamesIn the same spirit, we create a file “passwords.txt

nano /home/florian/owabrute/passwords.txt

CrowdSec Windows – Files with passwords

cd /home/florian/owabrute/
chmod +x owabrute.sh

Then, we position ourselves in the directory of OWA BRUTE to add the execution rights on the Bash script.All that remains is to launch the attack by targeting “mail.domaine.fr

./owabrute.sh -d mail.domaine.fr -u ./users.txt -p ./passwords.txt

” and then using our previously created files.

We can see that the script will test each combination, in turn.  In the end, it will indicate whether or not it succeeded in finding a valid combination.  However, CrowdSec will intervene....

CrowdSec Windows – Brute force with OWA BRUTEIndeed, if I look at my Exchange server side, I can see that there is a new IP address blocked due to brute force(“crowdsecurity/windows-bf “). The CrowdSec agent has correctlyblocked the IP address behind this attack

.

CrowdSec Windows – Check brute force blocking

cscli decisions delete --ip X.X.X.X

Since here we are here to do tests, we can unblock our IP address manually:

Let’s move on to a second proof.

B. Scan Web sur OWA In the event that an individual seeks toscan your web server

, in this case IIS used by Exchange, it can rely on various tools including Nikto which is used to analyze the security level of a Web server. For this example, OWA will be analyzed with the Nikto tool: we will see if CrowdSec detects what is happening on the IIS server…

sudo apt-get update
sudo apt-get install nikto

First, let’s install this tool:

nikto -h 

Then, we launch the scan to webmail:

The analysis will take several minutes...

CrowdSec Windows – Scan avec nikto …Except that after a while,CrowdSec will realize that this web client is performing suspicious actions and it will decide to block it. In the example below, we can see the reason “http-sensitive-files

CrowdSec Windows – Check nikto blocking

In this second example, where we performed a completely different action compared to the first attempt, CrowdSec also managed to detect our malicious actions.

IV. Conclusion We have just seen how to set up the CrowdSec agent on Windows in order to protect a Microsoft Exchange mail server!

Here I have taken the example of Exchange Server 2019, but this also applies to previous versions. With these two quick but concrete examples, we could see the effectiveness of CrowdSec! I take advantage of this article to remind you of the existence of the console CrowdSec

Sécurité Informatique,Windows Server,CrowdSec,Microsoft Exchange 2019,Sécurité,

#Installation #CrowdSec #protect #Exchange #server

Leave a Comment

Your email address will not be published. Required fields are marked *