Re: Netstat shows Port 1433 Activity

From: Kevin McDonnell [MSFT] (kevmc_at_online.microsoft.com)
Date: 07/13/04


Date: Tue, 13 Jul 2004 18:34:47 GMT

Previous posting:

At the time I ran TCPView, instead of the usual connections on port
1433, there were many (about 25) established connections on port 1025,
some from IP addresses on the server that should not be establishing
connections. All of these were associated with msdtc.exe. I killed a
couple of these processes. When I killed the 2nd all the remaining
disappeared. What does this indicate?

*** MSDTC is used for Distributed Transactions. If the IP address is not
from a machine
that you "Trust" , then this machine should be blocked.

When I have observed many connections on port 1433 the state is usually
WAIT_STATE or FIN_2 something.

*** TCP sessions have various states. FIN, TIME_WAIT are all valid states.
See:
137984 TCP Connection States and Netstat Output
http://support.microsoft.com/?id=137984

The server is a leased server at an ISP (Interland) that I administer
remotely via Terminal Services. There are 2 NICs: 1 to their LAN and 1
to the Internet.
*** Your provider should also have Firewall to prevent machines
from establishing connections. If they don't you should seriously consider
Publishing SQL from ISA Server.

For firewall I hoped to use IPSEC. I assume that 'Standard SQL
Security' means the same to you as to me (passwords, limit user
capabilities) and the answer is Yes.
*** If you only have certain valid clients that should be connecting to
your SQL Server
accross the internet, then IPSEc or a VPN could be used. Otherwise, since
your server
is open and using Standard Security, you'll be open to password guessing
attacks.

If the connection state is not "ESTABLISHED' does that mean that other
devices are attempting to connect unsuccessfully? Could these be port
scanner viruses or similar?
*** See TCP Connection States kb.

The msdtc.exe ESTABLISHED connections caused me more concern. Does that
mean my server and another device were 'handshaking' or exchanging
data?
*** If your SQL Server is not using Distributed Transactions, Stop the
MSDTC Server Service.

Thanks,

Kevin McDonnell
Microsoft Corporation

This posting is provided AS IS with no warranties, and confers no rights.



Relevant Pages

  • Re: network programming: how does s.accept() work?
    ... The program you contact at Google is a server. ... so, the server will usually assign a new port, say 56399, specifically ... connections to a server remain on the same port, ... sockets is what identifies them. ...
    (comp.lang.python)
  • Nimda.E/unknown memory resident, internet-aware processes
    ... a client's NT 4.0 server was infected with what appeared to be ... network traffic and saw several suspect connections. ... one other connection to port 2787. ... along with about 500 other compromised systems on just that one IRC server. ...
    (Incidents)
  • Re: VB app connect THROUGH proxy to a remote SQL database
    ... The whole "HTTP proxy is way more secure than allowing outgoing ... the client app and the SQL server are on ... incoming connections to the SQL server are not the problem - it's ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Access 2007->SQL Server2005 "connection was forcibly closed",G
    ... If I cut the maximum number of connections to for ... SQL Server simply blocks any further try to open another table until I close ... This doesn't happen with the SQL Server 2000 but with SQL Server ... No, I think ms-sql-s means that SQL 2000 is using port 1433, which is ...
    (microsoft.public.sqlserver.connect)
  • Re: iptables newbie question
    ... so it's not a dedicated server. ... > merely want to limit connections on that port ONLY to the e-mail server ... do you want to be able to establish connections out to ... The same sort of thing happens for any request you make - dns, ntp, web, ...
    (comp.os.linux.security)