Some hacker has set off a program to try and guess the sa password to my SQL
Server that is public (1433 is open) -- I'm logging all the attempts (about
6 a minute from the start of my logging til now -- several 100,000
combinations and counting.
Is there anyway to detect the source IP and block/shut it down?
Thanks, Rob.Nothing built into SQL Server 2000 - you have to get at this
through the OS level using Network Monitor or another
sniffer to capture the IP of the source.
-Sue
On Mon, 10 Oct 2005 13:01:32 -0700, "Rob R. Ainscough"
<robains@.pacbell.net> wrote:
>Some hacker has set off a program to try and guess the sa password to my SQ
L
>Server that is public (1433 is open) -- I'm logging all the attempts (about
>6 a minute from the start of my logging til now -- several 100,000
>combinations and counting.
>Is there anyway to detect the source IP and block/shut it down?
>Thanks, Rob.
>|||Hi Sue,
I don't suppose Microsoft provide any such easy to use tools to monitor
"patterned" network traffic -- i.e. the same IP attempting connection with
my SQL Server every 10 seconds? Also is there anything in SQL Server 2000
that can filter out an IP that attempts more than XYZ failed attempts at
login with sa?
It seems that 95% of hacker activity/patterns are very similar, but I'm not
finding anything in the MS 2003 Server nor in MS SQL Server 2000 that would
help identify and prevent these patterns -- am I just missing something?
If not, are there any tools out there (paid or free) that are easy to use
with minimal setup -- I'm a developer and don't have the time to spend on
tracking stuff like this down and I've got more important task to accomplish
with looming deadlines.
Any recommendation, tips, hints, web sites to visit would be most
appreciated.
Thanks, Rob.
"Sue Hoegemeier" <Sue_H@.nomail.please> wrote in message
news:3l3mk1hjlkko4ncs8fajt0gn9m2gi3n4m6@.
4ax.com...
> Nothing built into SQL Server 2000 - you have to get at this
> through the OS level using Network Monitor or another
> sniffer to capture the IP of the source.
> -Sue
> On Mon, 10 Oct 2005 13:01:32 -0700, "Rob R. Ainscough"
> <robains@.pacbell.net> wrote:
>
>|||Is is absolutely required that port 1433 be open to the entire internet? If
not, why not use a firewall or similar to block all IP addresses except
those that should be permitted access?
Cheers
Ken
"Rob R. Ainscough" <robains@.pacbell.net> wrote in message
news:%23qF1TlhzFHA.2640@.TK2MSFTNGP10.phx.gbl...
: Hi Sue,
:
: I don't suppose Microsoft provide any such easy to use tools to monitor
: "patterned" network traffic -- i.e. the same IP attempting connection with
: my SQL Server every 10 seconds? Also is there anything in SQL Server 2000
: that can filter out an IP that attempts more than XYZ failed attempts at
: login with sa?
:
: It seems that 95% of hacker activity/patterns are very similar, but I'm
not
: finding anything in the MS 2003 Server nor in MS SQL Server 2000 that
would
: help identify and prevent these patterns -- am I just missing something?
:
: If not, are there any tools out there (paid or free) that are easy to use
: with minimal setup -- I'm a developer and don't have the time to spend on
: tracking stuff like this down and I've got more important task to
accomplish
: with looming deadlines.
:
: Any recommendation, tips, hints, web sites to visit would be most
: appreciated.
:
: Thanks, Rob.
:
: "Sue Hoegemeier" <Sue_H@.nomail.please> wrote in message
: news:3l3mk1hjlkko4ncs8fajt0gn9m2gi3n4m6@.
4ax.com...
: > Nothing built into SQL Server 2000 - you have to get at this
: > through the OS level using Network Monitor or another
: > sniffer to capture the IP of the source.
: >
: > -Sue
: >
: > On Mon, 10 Oct 2005 13:01:32 -0700, "Rob R. Ainscough"
: > <robains@.pacbell.net> wrote:
: >
: >>Some hacker has set off a program to try and guess the sa password to my
: >>SQL
: >>Server that is public (1433 is open) -- I'm logging all the attempts
: >>(about
: >>6 a minute from the start of my logging til now -- several 100,000
: >>combinations and counting.
: >>
: >>Is there anyway to detect the source IP and block/shut it down?
: >>
: >>Thanks, Rob.
: >>
: >
:
:|||Hi Ken,
The problem is, those that should be permitted access are not static IPs
(they could be a broadband connection with a dynamic IP) -- IPs can and do
change so that would involve a lot of maintenance to keep them updated not
to mention the end user would NOT have a clue what is wrong with the
applicaiton that no longer can communicate to the SQL Server.
Is there really NOTHING built into Win2K3 or SQL 2000 that has any
intelligence about prevent hacker attacks? I mean the pattern of a SQL
hacker is pretty simple -- look in the event viewer at the 20000+ login sa
failed attempts (once every 10 seconds). What I don't like is the
processing time the hacker consumes with all the failed login attempts --
with my 40 character password at one attempt every 10 seconds it would still
take them 5.6034833284317069404025203533663e+87 years to guess the
password -- even assuming they got lucky and hit the jackpot in 1/2 the time
that is still 2.8017416642158534702012601766831e+87 years. So am I worred
about using port 1433, no -- just annoyed that there doesn't appear to be
any tools to automatically ignore these attempts and stop using up my
bandwidth and resources.
Rob.
"Ken Schaefer" <kenREMOVE@.THISadOpenStatic.com> wrote in message
news:e1Lu4shzFHA.3408@.TK2MSFTNGP09.phx.gbl...
> Is is absolutely required that port 1433 be open to the entire internet?
> If
> not, why not use a firewall or similar to block all IP addresses except
> those that should be permitted access?
> Cheers
> Ken
> "Rob R. Ainscough" <robains@.pacbell.net> wrote in message
> news:%23qF1TlhzFHA.2640@.TK2MSFTNGP10.phx.gbl...
> : Hi Sue,
> :
> : I don't suppose Microsoft provide any such easy to use tools to monitor
> : "patterned" network traffic -- i.e. the same IP attempting connection
> with
> : my SQL Server every 10 seconds? Also is there anything in SQL Server
> 2000
> : that can filter out an IP that attempts more than XYZ failed attempts at
> : login with sa?
> :
> : It seems that 95% of hacker activity/patterns are very similar, but I'm
> not
> : finding anything in the MS 2003 Server nor in MS SQL Server 2000 that
> would
> : help identify and prevent these patterns -- am I just missing something?
> :
> : If not, are there any tools out there (paid or free) that are easy to
> use
> : with minimal setup -- I'm a developer and don't have the time to spend
> on
> : tracking stuff like this down and I've got more important task to
> accomplish
> : with looming deadlines.
> :
> : Any recommendation, tips, hints, web sites to visit would be most
> : appreciated.
> :
> : Thanks, Rob.
> :
> : "Sue Hoegemeier" <Sue_H@.nomail.please> wrote in message
> : news:3l3mk1hjlkko4ncs8fajt0gn9m2gi3n4m6@.
4ax.com...
> : > Nothing built into SQL Server 2000 - you have to get at this
> : > through the OS level using Network Monitor or another
> : > sniffer to capture the IP of the source.
> : >
> : > -Sue
> : >
> : > On Mon, 10 Oct 2005 13:01:32 -0700, "Rob R. Ainscough"
> : > <robains@.pacbell.net> wrote:
> : >
> : >>Some hacker has set off a program to try and guess the sa password to
> my
> : >>SQL
> : >>Server that is public (1433 is open) -- I'm logging all the attempts
> : >>(about
> : >>6 a minute from the start of my logging til now -- several 100,000
> : >>combinations and counting.
> : >>
> : >>Is there anyway to detect the source IP and block/shut it down?
> : >>
> : >>Thanks, Rob.
> : >>
> : >
> :
> :
>|||Hi Rob,
I have the same situation, till now all my clients uses a fixed ip address
and my firewall is in stealth mode and talks only with privileged
addresses, so i had no attack till now on my SQL-Server, but in my next
project i have clients with dynamic addresses too.
So i am very interested in this article and hope for some tips.
In the moment i am trying to find out if VPN can help me.
Yes, the VPN Server can be attacked too. And there is no shelter against
DoS. But then this is handled (i hope very efficient) by the router and is
not stressing the SQL-Server or the valid connections.
The one and only really 100% save solution would be a leased circuit,
because: no connect to outside = no attack from outside ;-)
But this is to expensive for me.
bye,
Helmut|||On Tue, 11 Oct 2005 08:50:33 -0700, Rob R. Ainscough wrote:
> Is there really NOTHING built into Win2K3 or SQL 2000 that has any
> intelligence about prevent hacker attacks?
No. And this question comes up in this newsgroup every few months, it
seems like. (Perhaps there is a security tool which could detect and
prevent that at the news server? :-))
> The problem is, those that should be permitted access are not static IPs
I'll give the same suggestion I gave last time. Many firewalls have the
ability to open a port to a specific IP after that IP has logged in in some
way. Often (I'm thinking of Checkpoint FW1) the login is very simple,
requiring only a telnet to another specific port and a short exchange of
username and password - easily automatable.|||VPN can help but I found it caused more maintenance (in terms of network
quirks, slow boot problems, incompatibilities with some remote PCs and very
sensitive to any Windows updates) than it was worth.
I think the only other "secure" way is via XML/SSL and have an applicaiton
server level where the remote users communicate requests to the application
server which then has a local link to the SQL Server -- that way you can a
public web server talk to the application server and remote clients talk to
the application server and keep the SQL server relatively safe behind the
applicaiton server. Definitely NOT the easiest approach and certainly NOT
the fastest approach but pending the scale of you user base and/or
solution(s) it maybe more appropriate.
I know SQL 2005 is supposed to be much better but I'm not clear on the
upgrade path and from what I've heard migration and knowledgebase required
to keep a SQL 2005 server going is well beyond the capacity of a developer
who IS also the DBA by default cause nobody else is qualified and/or no
money to hire someone that is qualified.
Ross, sorry for the same questions -- perhaps I'm just in denial that the OS
(even Win2K3) and SQL 2000 (with all the various SPs) are still so
unintelligent about monitor and defending against your typical hackers.
Maybe I'm just frustrated that MS don't appear to progressing in this
area -- it seems security is getting overly complex when it should be
getting more secure and easier to implement -- but I'm not an IT guy so I'm
sure I'm missing something.
Rob.
"helmut woess" <hw@.iis.at> wrote in message
news:fujelj4oe5c3.xb4xfpw7w2mh.dlg@.40tude.net...
> Hi Rob,
> I have the same situation, till now all my clients uses a fixed ip address
> and my firewall is in stealth mode and talks only with privileged
> addresses, so i had no attack till now on my SQL-Server, but in my next
> project i have clients with dynamic addresses too.
> So i am very interested in this article and hope for some tips.
> In the moment i am trying to find out if VPN can help me.
> Yes, the VPN Server can be attacked too. And there is no shelter against
> DoS. But then this is handled (i hope very efficient) by the router and is
> not stressing the SQL-Server or the valid connections.
> The one and only really 100% save solution would be a leased circuit,
> because: no connect to outside = no attack from outside ;-)
> But this is to expensive for me.
> bye,
> Helmut|||"Rob R. Ainscough" <robains@.pacbell.net> wrote in message
news:ObLmEunzFHA.1040@.TK2MSFTNGP14.phx.gbl...
: Hi Ken,
:
: The problem is, those that should be permitted access are not static IPs
: (they could be a broadband connection with a dynamic IP) -- IPs can and do
: change so that would involve a lot of maintenance to keep them updated not
: to mention the end user would NOT have a clue what is wrong with the
: applicaiton that no longer can communicate to the SQL Server.
Fair enough.
: Is there really NOTHING built into Win2K3 or SQL 2000 that has any
: intelligence about prevent hacker attacks?
What is a hacker attack? 3 tries in 1 second? 10,000 tries in one second?
What you want is something like an IDS (Intrusion Detection System), which
you can configure at an appropriate thresh-hold which you determine. Then it
can do various stuff (like alert you, or configure a block at your firewall
or whatever) when a trigger value is reached.
However this is something that requires you to think carefully about it - to
ensure that a legitimate user doesn't accidently lock themselves out.
: I mean the pattern of a SQL
: hacker is pretty simple -- look in the event viewer at the 20000+ login sa
: failed attempts (once every 10 seconds).
Is this just one IP address? If so, just use TCP filtering in Windows
server. 20,000 attempts to pretty obviously a hack. But what if it was only
5 attempts? What then?
In any case, this is probably something you should use something else to
secure - firewall, VPN etc.
Cheers
Ken
What I don't like is the
: processing time the hacker consumes with all the failed login attempts --
: with my 40 character password at one attempt every 10 seconds it would
still
: take them 5.6034833284317069404025203533663e+87 years to guess the
: password -- even assuming they got lucky and hit the jackpot in 1/2 the
time
: that is still 2.8017416642158534702012601766831e+87 years. So am I worred
: about using port 1433, no -- just annoyed that there doesn't appear to be
: any tools to automatically ignore these attempts and stop using up my
: bandwidth and resources.
:
: Rob.
:
: "Ken Schaefer" <kenREMOVE@.THISadOpenStatic.com> wrote in message
: news:e1Lu4shzFHA.3408@.TK2MSFTNGP09.phx.gbl...
: > Is is absolutely required that port 1433 be open to the entire internet?
: > If
: > not, why not use a firewall or similar to block all IP addresses except
: > those that should be permitted access?
: >
: > Cheers
: > Ken
: >
: > "Rob R. Ainscough" <robains@.pacbell.net> wrote in message
: > news:%23qF1TlhzFHA.2640@.TK2MSFTNGP10.phx.gbl...
: > : Hi Sue,
: > :
: > : I don't suppose Microsoft provide any such easy to use tools to
monitor
: > : "patterned" network traffic -- i.e. the same IP attempting connection
: > with
: > : my SQL Server every 10 seconds? Also is there anything in SQL Server
: > 2000
: > : that can filter out an IP that attempts more than XYZ failed attempts
at
: > : login with sa?
: > :
: > : It seems that 95% of hacker activity/patterns are very similar, but
I'm
: > not
: > : finding anything in the MS 2003 Server nor in MS SQL Server 2000 that
: > would
: > : help identify and prevent these patterns -- am I just missing
something?
: > :
: > : If not, are there any tools out there (paid or free) that are easy to
: > use
: > : with minimal setup -- I'm a developer and don't have the time to spend
: > on
: > : tracking stuff like this down and I've got more important task to
: > accomplish
: > : with looming deadlines.
: > :
: > : Any recommendation, tips, hints, web sites to visit would be most
: > : appreciated.
: > :
: > : Thanks, Rob.
: > :
: > : "Sue Hoegemeier" <Sue_H@.nomail.please> wrote in message
: > : news:3l3mk1hjlkko4ncs8fajt0gn9m2gi3n4m6@.
4ax.com...
: > : > Nothing built into SQL Server 2000 - you have to get at this
: > : > through the OS level using Network Monitor or another
: > : > sniffer to capture the IP of the source.
: > : >
: > : > -Sue
: > : >
: > : > On Mon, 10 Oct 2005 13:01:32 -0700, "Rob R. Ainscough"
: > : > <robains@.pacbell.net> wrote:
: > : >
: > : >>Some hacker has set off a program to try and guess the sa password
to
: > my
: > : >>SQL
: > : >>Server that is public (1433 is open) -- I'm logging all the attempts
: > : >>(about
: > : >>6 a minute from the start of my logging til now -- several 100,000
: > : >>combinations and counting.
: > : >>
: > : >>Is there anyway to detect the source IP and block/shut it down?
: > : >>
: > : >>Thanks, Rob.
: > : >>
: > : >
: > :
: > :
: >
: >
:
:|||Am Tue, 11 Oct 2005 16:35:39 -0700 schrieb Rob R. Ainscough:
> VPN can help but I found it caused more maintenance (in terms of network
> quirks, slow boot problems, incompatibilities with some remote PCs and ver
y
> sensitive to any Windows updates) than it was worth.
>
I think about a complete hardware solution. The hardware is really cheap
compared with the costs for setup and/or other problems which can happen if
using the windows-built-in-vpn.
> I think the only other "secure" way is via XML/SSL and have an applicaiton
> server level where the remote users communicate requests to the applicatio
n
> server which then has a local link to the SQL Server -- that way you can a
> public web server talk to the application server and remote clients talk t
o
> the application server and keep the SQL server relatively safe behind the
> applicaiton server. Definitely NOT the easiest approach and certainly NOT
> the fastest approach but pending the scale of you user base and/or
> solution(s) it maybe more appropriate.
>
Definitely not possible for me. I would have to rewrite the whole
application in a new technologie where i have no experience, and this on
client side and on server side.
But i like the idea from Ross Presser. I could easily write a little
programm which is listening on another port. And the client has to send its
ip in a special encrypted way, then my listener will open the firewall for
this ip, otherwise no response from the listener - undetectable for
hackers, i think.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment