Hi,
My SQL server is has a public IP address admins and developers can access
and manage remotely (this is the requirement)
When I monitor the SQL server port I can see some one is brutally trying to
hack my server. There are almost 70 connections from IP address
66.15.173.105 that try to connect to my server.
My guess is he is trying to use brute force technique to find the sa
password.
What is the best way to prevent that? Can I adjust some settings, to have
failed logins wait for 10 seconds?
Any help would be appreciated,
AlanHi
You can't do much as you exposed your SQL Server to the outside world.
At best, you can filter the source IP and port at the router, blocking
66.15.173.105
SQL Server 2000 does not allow account lockouts or account policies.
If developers and admins need access to your SQL Server, look at
implementing a VPN, but for sure, don't expose SQL Server directly to the
internet.
Regards
--
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
IM: mike@.epprecht.net
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"A.M" <Hate-Spam@.nowhere.com> wrote in message
news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
> Hi,
>
> My SQL server is has a public IP address admins and developers can access
> and manage remotely (this is the requirement)
>
> When I monitor the SQL server port I can see some one is brutally trying
> to hack my server. There are almost 70 connections from IP address
> 66.15.173.105 that try to connect to my server.
>
> My guess is he is trying to use brute force technique to find the sa
> password.
>
> What is the best way to prevent that? Can I adjust some settings, to have
> failed logins wait for 10 seconds?
>
> Any help would be appreciated,
> Alan
>
>
>|||Change the port from 1433, block that IP address, make the sa password
something ridiculously difficult (or better yet, switch to Windows
integrated security only) and implement VPN.
"A.M" <Hate-Spam@.nowhere.com> wrote in message
news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
> Hi,
>
> My SQL server is has a public IP address admins and developers can access
> and manage remotely (this is the requirement)
>
> When I monitor the SQL server port I can see some one is brutally trying
> to hack my server. There are almost 70 connections from IP address
> 66.15.173.105 that try to connect to my server.
>
> My guess is he is trying to use brute force technique to find the sa
> password.
>
> What is the best way to prevent that? Can I adjust some settings, to have
> failed logins wait for 10 seconds?
>
> Any help would be appreciated,
> Alan
>
>
>|||You can also use IPSEC & or your firewall and only allow specific IP & PORT
access to your SQL Box.|||Blocking the attacking IP probably won't help -- it's probably a dynamic IP.
This might be painful, but...create a new admin. login with a hard-to-guess
name, use a strong password, and DELETE sa.
-- Jeff
"A.M" <Hate-Spam@.nowhere.com> wrote in message
news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
> Hi,
>
> My SQL server is has a public IP address admins and developers can access
> and manage remotely (this is the requirement)
>
> When I monitor the SQL server port I can see some one is brutally trying
> to hack my server. There are almost 70 connections from IP address
> 66.15.173.105 that try to connect to my server.
>
> My guess is he is trying to use brute force technique to find the sa
> password.
>
> What is the best way to prevent that? Can I adjust some settings, to have
> failed logins wait for 10 seconds?
>
> Any help would be appreciated,
> Alan
>
>
>|||can not delete sa.
"Beige Bond" <BeigeBond@.hotmail.com> wrote in message
news:OvFRYk0TFHA.2556@.TK2MSFTNGP12.phx.gbl...
> Blocking the attacking IP probably won't help -- it's probably a dynamic
IP.
> This might be painful, but...create a new admin. login with a
hard-to-guess
> name, use a strong password, and DELETE sa.
> -- Jeff
> "A.M" <Hate-Spam@.nowhere.com> wrote in message
> news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
> > Hi,
> >
> >
> >
> > My SQL server is has a public IP address admins and developers can
access
> > and manage remotely (this is the requirement)
> >
> >
> >
> > When I monitor the SQL server port I can see some one is brutally trying
> > to hack my server. There are almost 70 connections from IP address
> > 66.15.173.105 that try to connect to my server.
> >
> >
> >
> > My guess is he is trying to use brute force technique to find the sa
> > password.
> >
> >
> >
> > What is the best way to prevent that? Can I adjust some settings, to
have
> > failed logins wait for 10 seconds?
> >
> >
> >
> > Any help would be appreciated,
> >
> > Alan
> >
> >
> >
> >
> >
> >
>|||Apologies for my ignorance. Looks like turning off Mixed Mode Authentication
is the only way to disable sa. Some interesting notes at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_1_server_5un8.asp
"Dennis Redfield" <dennis_redfield@.newsgroup.nospam> wrote in message
news:eGetLtBUFHA.3644@.TK2MSFTNGP10.phx.gbl...
> can not delete sa.
> "Beige Bond" <BeigeBond@.hotmail.com> wrote in message
> news:OvFRYk0TFHA.2556@.TK2MSFTNGP12.phx.gbl...
>> Blocking the attacking IP probably won't help -- it's probably a dynamic
> IP.
>> This might be painful, but...create a new admin. login with a
> hard-to-guess
>> name, use a strong password, and DELETE sa.
>> -- Jeff
>> "A.M" <Hate-Spam@.nowhere.com> wrote in message
>> news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
>> > Hi,
>> >
>> >
>> >
>> > My SQL server is has a public IP address admins and developers can
> access
>> > and manage remotely (this is the requirement)
>> >
>> >
>> >
>> > When I monitor the SQL server port I can see some one is brutally
>> > trying
>> > to hack my server. There are almost 70 connections from IP address
>> > 66.15.173.105 that try to connect to my server.
>> >
>> >
>> >
>> > My guess is he is trying to use brute force technique to find the sa
>> > password.
>> >
>> >
>> >
>> > What is the best way to prevent that? Can I adjust some settings, to
> have
>> > failed logins wait for 10 seconds?
>> >
>> >
>> >
>> > Any help would be appreciated,
>> >
>> > Alan
>> >
>> >
>> >
>> >
>> >
>> >
>>
>|||In addition to all of these suggestions, you can also use the firewall
to block access from all outside IPs except those used by the admins
and developers.
Still the solution is to get a VPN setup and get the SQL Server box
off the internet. To expensive you say? How much will it cost your
company *when* the hacker gets through? I bet it's more than the cost
of some VPNs.
Joe Webb
SQL Server MVP
~~~
Get up to speed quickly with SQLNS
http://www.amazon.com/exec/obidos/tg/detail/-/0972688811
I support PASS, the Professional Association for SQL Server.
(www.sqlpass.org)
On Sat, 30 Apr 2005 11:39:51 -0400, "Michael C#" <xyz@.abcdef.com>
wrote:
>Change the port from 1433, block that IP address, make the sa password
>something ridiculously difficult (or better yet, switch to Windows
>integrated security only) and implement VPN.
>"A.M" <Hate-Spam@.nowhere.com> wrote in message
>news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
>> Hi,
>>
>> My SQL server is has a public IP address admins and developers can access
>> and manage remotely (this is the requirement)
>>
>> When I monitor the SQL server port I can see some one is brutally trying
>> to hack my server. There are almost 70 connections from IP address
>> 66.15.173.105 that try to connect to my server.
>>
>> My guess is he is trying to use brute force technique to find the sa
>> password.
>>
>> What is the best way to prevent that? Can I adjust some settings, to have
>> failed logins wait for 10 seconds?
>>
>> Any help would be appreciated,
>> Alan
>>
>>
>>
>|||Thank you everyone for your help and suggestions. I convinced development
team to use terminal services instead.
However, lack of proper password policy for SQL server is quite scary! It is
easy build a try/error program to hack sa password based on available
password dictionary databases!
Thanks again,
Alan
"A.M" <Hate-Spam@.nowhere.com> wrote in message
news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
> Hi,
>
> My SQL server is has a public IP address admins and developers can access
> and manage remotely (this is the requirement)
>
> When I monitor the SQL server port I can see some one is brutally trying
> to hack my server. There are almost 70 connections from IP address
> 66.15.173.105 that try to connect to my server.
>
> My guess is he is trying to use brute force technique to find the sa
> password.
>
> What is the best way to prevent that? Can I adjust some settings, to have
> failed logins wait for 10 seconds?
>
> Any help would be appreciated,
> Alan
>
>
>|||That's probably why Windows Integrated is the recommended security model.
Why duplicate all of Windows' password policy functionality in SQL Server
when it's already accessible via Integrated Security?
Are you exposing Terminal Services to the Internet as well, or are you
making them use VPN? Don't forget the Administrator account on your domain
and local machines, which can usually use Terminal Services to log in as
well.
"A.M" <Hate-Spam@.nowhere.com> wrote in message
news:%23YGjqxOUFHA.2892@.TK2MSFTNGP14.phx.gbl...
>
> Thank you everyone for your help and suggestions. I convinced development
> team to use terminal services instead.
>
> However, lack of proper password policy for SQL server is quite scary! It
> is easy build a try/error program to hack sa password based on available
> password dictionary databases!
>
> Thanks again,
> Alan
>
> "A.M" <Hate-Spam@.nowhere.com> wrote in message
> news:e%235pS4YTFHA.612@.TK2MSFTNGP12.phx.gbl...
>> Hi,
>>
>> My SQL server is has a public IP address admins and developers can access
>> and manage remotely (this is the requirement)
>>
>> When I monitor the SQL server port I can see some one is brutally trying
>> to hack my server. There are almost 70 connections from IP address
>> 66.15.173.105 that try to connect to my server.
>>
>> My guess is he is trying to use brute force technique to find the sa
>> password.
>>
>> What is the best way to prevent that? Can I adjust some settings, to have
>> failed logins wait for 10 seconds?
>>
>> Any help would be appreciated,
>> Alan
>>
>>
>>
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment