Re: Is there any way to prevent hacker trying to guess sa password?
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 10/13/05
- Previous message: Dan Guzman: "Re: DELETE permission denied problem when using a stored proc to d"
- In reply to: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Next in thread: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Reply: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Oct 2005 12:48:32 +1000
"Rob R. Ainscough" <robains@pacbell.net> wrote in message
news:ukAppP0zFHA.2008@TK2MSFTNGP10.phx.gbl...
: Simple option that the DBA can configure only permit login attempts every
: XYZ milliseconds, attack can be user defined -- you listed the paramters #
: of failed tries over XYZ milliseconds -- that'll cover the basic attacks
at
: least, now the SQL injection attacks and/or crash the service attacks need
: to be address separately (no real DBA options here).
The proper way to secure this though isn't in SQL Server per se. Whilst that
might be a "nice to have" feature, I think I'd prefer the SQL Server product
group to work on more important things.
There aren't that many application servers that limit the number of
logons/sec (e.g. Active Directory doesn't, IIS doesn't, SQL Server doesn't,
Exchange doesn't). Instead, you should use an appropriate tool for the job.
By using the most appropriate, dedicated tool, we keep things a little
simpler and the network easier to manage and defend.
: But one would HOPE that Microsoft are serious about security (they
certainly
: are having problems demonstrating this and have a serious problem with
: making joe consumer feel "safe")
Microsoft's putting a lot of effort into security. Check their website
someday and look at all the consumer guidance they have out there now. Look
at all the tools that have been coming out (MBSA, IISLockDown, AntiSpyware,
Malicious Software Removal Tool). Look at the improvements in security in
SQL Server SP3, and IIS6.0 etc
: But more importantly MS strategy should
: not only be to prevent, but to identify, locate, shut down and report to
the
: authorities
Microsoft does have a honey pot project running. And I'm sure they have
contacts with various authorities to report on the more significant issues.
: But I think the point of telling the DBA, or Developer or IT person
: "security isn't MS problem, it is yours" does NOBODY any good.
Ultimately, security is your responsibility. There are tools out there (like
firewalls, IDSes, and the stuff built into SQL Server). But how you
configure it, and the processes you use to manage it are your
responsibility.
: MS needs to provide these tools,
The tools are there - you just aren't using them. And blaming Microsoft
isn't going to solve the problem.
You think you are the only person in your situation? There are lots of
companies running SQL Server, but they don't all seem to be having the
problem you are having. You need to do a little research, and get the
necessary info on how to configure all this stuff properly so you don't have
this issue.
And frankly, your lockout system is a little scary - you want to lockout the
"sa" account? Sounds like a potential DoS issue to me.
Cheers
Ken
: they need to get serious about security, they NEED to
: understand that DBA's, Developer's, IT people can and do go the easiest
: route to security -- it doesn't matter what the DBA, Developer, IT person
: does or doesn't do, the ultimate perception of being hacked or security
: compromised will point to MS in the public eyes -- so for MS to say it is
: NOT our burden is just foolish. I realize this is falling on deaf ears,
but
: MS need to stop the ignorance -- provide the tools, make them easy to use,
: provide intelligent defaults to configurations.
:
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:OLaBtftzFHA.1264@tk2msftngp13.phx.gbl...
: >
: > "Rob R. Ainscough" <robains@pacbell.net> wrote in message
: > news:ObLmEunzFHA.1040@TK2MSFTNGP14.phx.gbl...
: > : Hi Ken,
: > :
: > : The problem is, those that should be permitted access are not static
IPs
: > : (they could be a broadband connection with a dynamic IP) -- IPs can
and
: > do
: > : change so that would involve a lot of maintenance to keep them updated
: > not
: > : to mention the end user would NOT have a clue what is wrong with the
: > : applicaiton that no longer can communicate to the SQL Server.
: >
: > Fair enough.
: >
: > : Is there really NOTHING built into Win2K3 or SQL 2000 that has any
: > : intelligence about prevent hacker attacks?
: >
: > What is a hacker attack? 3 tries in 1 second? 10,000 tries in one
second?
: >
: > What you want is something like an IDS (Intrusion Detection System),
which
: > you can configure at an appropriate thresh-hold which you determine.
Then
: > it
: > can do various stuff (like alert you, or configure a block at your
: > firewall
: > or whatever) when a trigger value is reached.
: >
: > However this is something that requires you to think carefully about
it -
: > to
: > ensure that a legitimate user doesn't accidently lock themselves out.
: >
: >
: > : I mean the pattern of a SQL
: > : hacker is pretty simple -- look in the event viewer at the 20000+
login
: > sa
: > : failed attempts (once every 10 seconds).
: >
: > Is this just one IP address? If so, just use TCP filtering in Windows
: > server. 20,000 attempts to pretty obviously a hack. But what if it was
: > only
: > 5 attempts? What then?
: >
: > In any case, this is probably something you should use something else to
: > secure - firewall, VPN etc.
: >
: > Cheers
: > Ken
: >
: >
: >
: > What I don't like is the
: > : processing time the hacker consumes with all the failed login
: > attempts --
: > : with my 40 character password at one attempt every 10 seconds it would
: > still
: > : take them 5.6034833284317069404025203533663e+87 years to guess the
: > : password -- even assuming they got lucky and hit the jackpot in 1/2
the
: > time
: > : that is still 2.8017416642158534702012601766831e+87 years. So am I
: > worred
: > : about using port 1433, no -- just annoyed that there doesn't appear to
: > be
: > : any tools to automatically ignore these attempts and stop using up my
: > : bandwidth and resources.
: > :
: > : Rob.
: > :
: > : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: > : news:e1Lu4shzFHA.3408@TK2MSFTNGP09.phx.gbl...
: > : > Is is absolutely required that port 1433 be open to the entire
: > internet?
: > : > If
: > : > not, why not use a firewall or similar to block all IP addresses
: > except
: > : > those that should be permitted access?
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > "Rob R. Ainscough" <robains@pacbell.net> wrote in message
: > : > news:%23qF1TlhzFHA.2640@TK2MSFTNGP10.phx.gbl...
: > : > : Hi Sue,
: > : > :
: > : > : I don't suppose Microsoft provide any such easy to use tools to
: > monitor
: > : > : "patterned" network traffic -- i.e. the same IP attempting
: > connection
: > : > with
: > : > : my SQL Server every 10 seconds? Also is there anything in SQL
: > Server
: > : > 2000
: > : > : that can filter out an IP that attempts more than XYZ failed
: > attempts
: > at
: > : > : login with sa?
: > : > :
: > : > : It seems that 95% of hacker activity/patterns are very similar,
but
: > I'm
: > : > not
: > : > : finding anything in the MS 2003 Server nor in MS SQL Server 2000
: > that
: > : > would
: > : > : help identify and prevent these patterns -- am I just missing
: > something?
: > : > :
: > : > : If not, are there any tools out there (paid or free) that are easy
: > to
: > : > use
: > : > : with minimal setup -- I'm a developer and don't have the time to
: > spend
: > : > on
: > : > : tracking stuff like this down and I've got more important task to
: > : > accomplish
: > : > : with looming deadlines.
: > : > :
: > : > : Any recommendation, tips, hints, web sites to visit would be most
: > : > : appreciated.
: > : > :
: > : > : Thanks, Rob.
: > : > :
: > : > : "Sue Hoegemeier" <Sue_H@nomail.please> wrote in message
: > : > : news:3l3mk1hjlkko4ncs8fajt0gn9m2gi3n4m6@4ax.com...
: > : > : > Nothing built into SQL Server 2000 - you have to get at this
: > : > : > through the OS level using Network Monitor or another
: > : > : > sniffer to capture the IP of the source.
: > : > : >
: > : > : > -Sue
: > : > : >
: > : > : > On Mon, 10 Oct 2005 13:01:32 -0700, "Rob R. Ainscough"
: > : > : > <robains@pacbell.net> wrote:
: > : > : >
: > : > : >>Some hacker has set off a program to try and guess the sa
password
: > to
: > : > my
: > : > : >>SQL
: > : > : >>Server that is public (1433 is open) -- I'm logging all the
: > attempts
: > : > : >>(about
: > : > : >>6 a minute from the start of my logging til now -- several
100,000
: > : > : >>combinations and counting.
: > : > : >>
: > : > : >>Is there anyway to detect the source IP and block/shut it down?
: > : > : >>
: > : > : >>Thanks, Rob.
: > : > : >>
: > : > : >
: > : > :
: > : > :
: > : >
: > : >
: > :
: > :
: >
: >
:
:
- Previous message: Dan Guzman: "Re: DELETE permission denied problem when using a stored proc to d"
- In reply to: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Next in thread: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Reply: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
