Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Brute Force Attacks Expand / Collapse
Author
Message
Posted Sunday, August 17, 2014 10:23 AM


Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Monday, November 24, 2014 7:37 AM
Points: 68, Visits: 61
Hi,

It may be that I should post this in the newbie section. How can I assess how many resources my sql Server Express 2012 is using to deny sa login attempts? My log is show about 4 failed attempts a second. I do not see a counter in performance monitor and my initial google search to audit failed attempts seems to require resourses sql express does not have. i.e agent.

Perhaps the better question is. How concerned should I be and how can I stop this attack?

John


SQL 2012 Standard VPS Windows 2012 Server Standard
Post #1604206
Posted Sunday, August 17, 2014 10:43 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:02 AM
Points: 823, Visits: 753
You should be concerned, and you should not expose you SQL Server instance on the internet. As long as it is, you should keep the sa account disabled. Renaming it, is also a good idea.

But again, don't expose your instance on the internet.



Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1604208
Posted Sunday, August 17, 2014 10:49 AM


Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Monday, November 24, 2014 7:37 AM
Points: 68, Visits: 61
So this is where I should be bumped over to newbie. This is not a dedicated SQL server and hosts web sites as well. Can I assume there in no way to isolate the instance if it's server is also hosting web traffic?


If an SQL Server is supporting a web site but on a different physical machine, does that necessarily mean it's exposed to the internet? (note again this is not my case.)


SQL 2012 Standard VPS Windows 2012 Server Standard
Post #1604210
Posted Sunday, August 17, 2014 11:05 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:02 AM
Points: 823, Visits: 753
If SQL Server is only serving the web server, it's simple: make sure that only ports 80 and 443 are open in the firewall. And particularly, make sure that the ports related to SQL Server are closed. That is, the port which the instance is listening to (which you find in the SQL Server error log) and UDP port 1434, used by the Browser service.

You can even take it one step further and disable TCP and named pipes altogether on the instance.

In many cases, you want to be able to access the server instance from other machines in your own network. The common solution to this is to put the web server in what is called DMZ, which is outside your corporate firewall.

Also make sure that your web application is not prone to SQL injection.


Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1604211
Posted Sunday, August 17, 2014 1:14 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: 2 days ago @ 5:50 PM
Points: 7,924, Visits: 9,649
Erikur's advice is all good.

In addition, if the SQL Server is used only by things running on the same machine (such as Web Server) it is usually a good idea to diable all SQL Server connection protocols except shared memory.

But even doing all that including, As Erikur pointed out, making sure the web app doesn't permit sql injection, and changing the name "sa" to something else (like "jqsw3456ajfyctsmken" or something equally crazy) and, preferably, disabling Sql logins and allowing only windows logins doesn't guarantee security: you need to be sure that no-one unwelcome can get connected to the server as a Windows system administrator.


Tom
Post #1604215
Posted Sunday, August 17, 2014 1:18 PM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:02 AM
Points: 823, Visits: 753
TomThomson (8/17/2014)
Erikur's advice is all good.


Erikur?


Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1604216
Posted Sunday, August 17, 2014 3:29 PM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 12:33 PM
Points: 2,533, Visits: 7,097
Erland Sommarskog (8/17/2014)
TomThomson (8/17/2014)
Erikur's advice is all good.


Erikur?

Hi Erland, I think Tom is mixing up us two from way up north, even the confusion is misspelled

My (Eirikur ) first question is where are the attempts coming from? Is it through the web application or directly?
Follow Erland's advice on the firewall settings, you really want to isolate the SQL Server from the open internet! Secondly, disable SQL Server logins and use only Windows authentication. Last but not least, do not use NTLM authentication (backward compatible windows authentication)!!!
Post #1604221
Posted Monday, August 18, 2014 12:27 PM


Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Monday, November 24, 2014 7:37 AM
Points: 68, Visits: 61
To be honest, I'm not totally sure all the uses of this SQL instance. I'll have to find out (that's why its call work right) I'm actually volunteering...

Anyway. Is there a way to find out what port these attacks are coming in on?


SQL 2012 Standard VPS Windows 2012 Server Standard
Post #1604634
Posted Monday, August 18, 2014 3:22 PM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:02 AM
Points: 823, Visits: 753
They are all coming on the port on which SQL Server is listening on. You can see this in the SQL Server Configuration Manager or in the beginning of the SQL Server errorlog.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1604700
Posted Monday, August 18, 2014 4:34 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: 2 days ago @ 5:50 PM
Points: 7,924, Visits: 9,649
Erland Sommarskog (8/17/2014)
TomThomson (8/17/2014)
Erikur's advice is all good.


Erikur?



The nearest I can get to an excuse for the error is that it's hard to recognise names in far northern languages, at least as hard as understanding this bizarre beurla Sasunnach I'm typing in.

Actually, I suspect I'd just read some comments by Erikur in a different thread and the name stuck in my mind somehow.


Tom
Post #1604716
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse