Re: Brute Force Attack

From: "Russell Stevens" <rustyprogrammer@xxxxxxxxxxxxx>
Date: Sat, 8 Jul 2006 20:49:34 -0400

Vittorio,

If you use SQL 2005 on a Win2003 server, then the OS security policy can
be configured to allow you to only allow N attempts, then block that IP for
X minutes.

No such luck with SQL 2000 - Microsoft is never going to fix it - the
whole mess started when they released a product with an sa account that
couldn't be deleted or changed with a blank as the default password. This
started a whole industry of nerds breaking into SQL servers. They knew the
account name, and many had blank passwords. Those that didn't, they went
after with a brute force pw attack.

Anyway - what works for me.

Write a 20 line custom program (I use VB .NET but you could use anything)
that is run by the Windows task scheduler every 5 minutes (or whatever). Run
under an admin account. The program does the following

1. Runs netstat -n and dumps the result to a file.
2. Read the file - look for port 1433 - make a list of the ones that are
timing out. Collect the IP numbers of the bad guys.
3. Then run netsh from the custom program to block the IP by adding it to
an existing IP filter list. ie - the command would be (this is for a Win
2003 server)

cmd /c netsh ipsec static add filter filterlist="Block IP Numbers"
srcaddr=CurIP dstaddr=me protocol=ANY mirrored=no

where "Block IP Numbers" is the name of the filter list and CurIP is the IP
you are blocking.

4. Then send an email to yourself from the program
*************************

This is kind of a convuluted way of doing it but it works fine. Why
Microsoft couldn't come up with something more elegant after all these years
is hard to understand. Have fun. - AND - make sure you are using an
impossible sa password - they will never guess it but unless you stop them
they can sure use up a lot of bandwidth trying.

Russ Stevens

.

Prev by Date: Windows NT user or group "XX" not found
Next by Date: Re: Remove/Add BUILTIN\Administrators 2000 sp4
Previous by thread: Windows NT user or group "XX" not found
Next by thread: GRANT CREATE DATABASE TO a domain user account or group in SQL 2005
Index(es):
- Date
- Thread

Relevant Pages

Re: SQL account rights
... Please advice what is the best, suitable rights rather than domain admin ... issues, such as a server that might have IIS running on the same machine, ... applicable to SQL 2000 environment, ... files, or backups, make sure that the service account has Full ...
(microsoft.public.sqlserver.security)
RE: MP Install issue
... Where in the installation are you talking about specifying the account rather ... > MPDB ERROR - CONNECTION PARAMETERS ... > SQL Server Name: servername ... > with a trusted SQL Server connection. ...
(microsoft.public.sms.setup)
Re: SQL Express Fails with Hardware Error
... The LocalSystem account is a built-in account, ... which the SQL Service runs. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... Minimum Hardware Requirement (Warning) ...
(microsoft.public.sqlserver.setup)
Re: SCCM with a remote SQL instance problems (IT IS NOT A WARNING)
... PreReq check is not a WARNING it is a FAILURE. ... account the run the SQL Server Service on the server, Domain Memberships, AD ...
(microsoft.public.sms.installer)
Re: Distributed Query - Linked Servers?
... In the case of SQL style accounts, it doesn't seem very secure to me, because the password will be transmitted over the network. ... it should also be able to work by setting up a credential and proxy account on Server1. ... In this case it could work with NTLM authentication. ... we just need to verify that the 2 sql server instances are under sql server and windows authentication mode and the sql account you use has the permission on the 2 sql server instances. ...
(microsoft.public.sqlserver.server)