Re: SQL Server 2000 behind ZoneAlarm Pro 4

From: Ross McKay (rosko_at_zeta.NOT.THIS.BIT.org.au)
Date: 10/15/03 

Date: Wed, 15 Oct 2003 05:08:31 GMT

On Wed, 15 Oct 2003 03:43:27 GMT, "Fox" <fox @ connexions .net> wrote:

>I am getting over 50 hits per second that are trying to get into the SA
>account.
>Although they cannot get in, it is using too much of my reources and
>it is creating a log file which is not manageable. I need to refer to the
>log file now for some work I am doing. But it is impossible.
>
>I tried creating Expert Rules for SQLSERVER but the hits keep showing
>up in the log. I must be missing something. Can anyone tell me how to
>stop these hits from making it to the SQL log ? I never created Expert Rules
>before and I really do not know what to block or change regarding SQL.
>I tried only allowing Trusted to Tursted. I tried only allowing the machine
>address. Nothing had any effect at all. Any ideas would be very welcome.
>If possible, I want to make it that the only way to access SQL is to go
>through the web sites which have pages which access it.

Firstly, ZoneAlarm is not really the best thing to protect a server. You
should have a hardware firewall (e.g. a firewall router) for better
protection, as the firewall can fail or be taken down and leave you
open.

However, I think the easiest way to use ZoneAlarm in your situation is
this.

1) add Localhost to your zones as a trusted IP address (127.0.0.1)
2) remove your expert rules on SQL Server
3) allow SQL Server to access Trusted, and act as server for Trusted
4) block SQL Server from access and act as server for Internet
5) allow SQL Server Service Manager to access Trusted, block all other

Remember to click on Apply when changing your firewall zones settings.
Closing the ZoneAlarm window does not apply the changes!

If you have all this in place and are still getting hit, then the SQL
Server connection is local and must be a local process, e.g. a web
script or DLL that has been compromised.

I notice from the thread in microsoft.public.sqlserver.programming that
you are running a web server on this machine as well. As Aaron said, you
only need to allow access to port 80, no-one needs to access port 1433
etc. for your web application to run. KISS - only open up what is
needed. 

--
Ross McKay, WebAware Pty Ltd
"Words can only hurt if you try to read them. Don't play their game" - Zoolander

Relevant Pages

  • Re: IS IT SAFE TO HOST SQL SERVER AND IIS SERVER ON THE SAME MACHINE
    ... > safe to host a web application on a mchine outside of our firewall ... and the sql server would reside on this one machine. ... The vulnerabilities of Windows, IIS and SQL are well known, so you ...
    (microsoft.public.inetserver.iis.security)
  • Re: Clickonce and license question question
    ... would prefer to change the way we license / register the application. ... updates the SQL server at our ISP that the license key is now in use. ... What about just meaking the company open their firewall for the server? ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: Connection error from VBScript
    ... The only firewall we use is Windows Firewall and that is disabled by default ... -2147467259 from MS OLE DB Provider, Specified SQL Server not found. ... you only need TCP/IP connectivity and TCP port 1433 to ...
    (microsoft.public.data.ado)
  • Re: Replication over a firewall
    ... inbound access is required to pull the updates from the server. ... Most projects I've done where the firewall admin won't open a port ... for replication use a VPN to get around it. ... make sure you're running sql server and sql server agent under an ...
    (microsoft.public.sqlserver.ce)
  • Re: Log File Problem
    ... Now,I try to re attached the database,but Server show me ... messages,Its not valid log file. ... Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx ... Books Online for SQL Server 2005 at ...
    (comp.databases.ms-sqlserver)