Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Brute Force Attacks


Brute Force Attacks

Author
Message
Johnny B
Johnny B
SSC Journeyman
SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)

Group: General Forum Members
Points: 99 Visits: 165
Hi,

It may be that I should post this in the newbie section. How can I assess how many resources my sql Server Express 2012 is using to deny sa login attempts? My log is show about 4 failed attempts a second. I do not see a counter in performance monitor and my initial google search to audit failed attempts seems to require resourses sql express does not have. i.e agent.

Perhaps the better question is. How concerned should I be and how can I stop this attack?

John

SQL 2012 Standard VPS Windows 2012 Server Standard
Erland Sommarskog
Erland Sommarskog
SSC Eights!
SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)

Group: General Forum Members
Points: 935 Visits: 866
You should be concerned, and you should not expose you SQL Server instance on the internet. As long as it is, you should keep the sa account disabled. Renaming it, is also a good idea.

But again, don't expose your instance on the internet.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Johnny B
Johnny B
SSC Journeyman
SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)

Group: General Forum Members
Points: 99 Visits: 165
So this is where I should be bumped over to newbie. This is not a dedicated SQL server and hosts web sites as well. Can I assume there in no way to isolate the instance if it's server is also hosting web traffic?


If an SQL Server is supporting a web site but on a different physical machine, does that necessarily mean it's exposed to the internet? (note again this is not my case.)

SQL 2012 Standard VPS Windows 2012 Server Standard
Erland Sommarskog
Erland Sommarskog
SSC Eights!
SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)

Group: General Forum Members
Points: 935 Visits: 866
If SQL Server is only serving the web server, it's simple: make sure that only ports 80 and 443 are open in the firewall. And particularly, make sure that the ports related to SQL Server are closed. That is, the port which the instance is listening to (which you find in the SQL Server error log) and UDP port 1434, used by the Browser service.

You can even take it one step further and disable TCP and named pipes altogether on the instance.

In many cases, you want to be able to access the server instance from other machines in your own network. The common solution to this is to put the web server in what is called DMZ, which is outside your corporate firewall.

Also make sure that your web application is not prone to SQL injection.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
TomThomson
TomThomson
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10707 Visits: 12008
Erikur's advice is all good.

In addition, if the SQL Server is used only by things running on the same machine (such as Web Server) it is usually a good idea to diable all SQL Server connection protocols except shared memory.

But even doing all that including, As Erikur pointed out, making sure the web app doesn't permit sql injection, and changing the name "sa" to something else (like "jqsw3456ajfyctsmken" or something equally crazy) and, preferably, disabling Sql logins and allowing only windows logins doesn't guarantee security: you need to be sure that no-one unwelcome can get connected to the server as a Windows system administrator.

Tom

Erland Sommarskog
Erland Sommarskog
SSC Eights!
SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)

Group: General Forum Members
Points: 935 Visits: 866
TomThomson (8/17/2014)
Erikur's advice is all good.


Erikur?

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Eirikur Eiriksson
Eirikur Eiriksson
SSCertifiable
SSCertifiable (6.7K reputation)SSCertifiable (6.7K reputation)SSCertifiable (6.7K reputation)SSCertifiable (6.7K reputation)SSCertifiable (6.7K reputation)SSCertifiable (6.7K reputation)SSCertifiable (6.7K reputation)SSCertifiable (6.7K reputation)

Group: General Forum Members
Points: 6725 Visits: 17705
Erland Sommarskog (8/17/2014)
TomThomson (8/17/2014)
Erikur's advice is all good.


Erikur?

Hi Erland, I think Tom is mixing up us two from way up north, even the confusion is misspelled;-)

My (Eirikur :-D) first question is where are the attempts coming from? Is it through the web application or directly?
Follow Erland's advice on the firewall settings, you really want to isolate the SQL Server from the open internet! Secondly, disable SQL Server logins and use only Windows authentication. Last but not least, do not use NTLM authentication (backward compatible windows authentication)!!!
Cool
Johnny B
Johnny B
SSC Journeyman
SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)SSC Journeyman (99 reputation)

Group: General Forum Members
Points: 99 Visits: 165
To be honest, I'm not totally sure all the uses of this SQL instance. I'll have to find out (that's why its call work right) I'm actually volunteering...

Anyway. Is there a way to find out what port these attacks are coming in on?

SQL 2012 Standard VPS Windows 2012 Server Standard
Erland Sommarskog
Erland Sommarskog
SSC Eights!
SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)

Group: General Forum Members
Points: 935 Visits: 866
They are all coming on the port on which SQL Server is listening on. You can see this in the SQL Server Configuration Manager or in the beginning of the SQL Server errorlog.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
TomThomson
TomThomson
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10707 Visits: 12008
Erland Sommarskog (8/17/2014)
TomThomson (8/17/2014)
Erikur's advice is all good.


Erikur?

Blush

The nearest I can get to an excuse for the error is that it's hard to recognise names in far northern languages, at least as hard as understanding this bizarre beurla Sasunnach I'm typing in.

Actually, I suspect I'd just read some comments by Erikur in a different thread and the name stuck in my mind somehow.

Tom

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search