Re: How can I block attempts to hack into my SQL server?

Ryan,

The quick answer is to configure your firewall to not allow incoming requests on port 1433 (default SQL Server port).

If you need to allow that access (either because you or because others that you trust need outside access to the server) then you might want to check out my new utility to provide a bit of self defense for this type of bothersome activity.

http://www.creeksolutions.com/Products/BlockSSHacking/tabid/92/Default.aspx

BlockSSHacking runs as a Windows service protecting your SQL Server from brute force hacking attempts coming from the Internet.

The service checks your system every 5 minutes (configurable setting) for evidence of ongoing hacking. If such attempts are in progress then those source addresses are blocked from future access to your server (quickly leading to you recovering your bandwidth).

BlockSSHacking notifies you via email when it has blocked someone from hacking your system.

Henrik

Ryan wrote:
I see these events in the logs of my SBS R2 server running SQL 2005:

Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 18452
Date: 28/12/2006
Time: 10:34:06 PM
User: N/A
Computer: LRGI-MARLIN
Description:
Login failed for user 'sa'. The user is not associated with a trusted SQL Server connection. [CLIENT: 216.222.166.55]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 14 48 00 00 0e 00 00 00 .H......
0008: 0c 00 00 00 4c 00 52 00 ....L.R.
0010: 47 00 49 00 2d 00 4d 00 G.I.-.M.
0018: 41 00 52 00 4c 00 49 00 A.R.L.I.
0020: 4e 00 00 00 07 00 00 00 N.......
0028: 6d 00 61 00 73 00 74 00 m.a.s.t.
0030: 65 00 72 00 00 00 e.r...

I have tried blocking incoming and outgoing traffic on port 1433 in ISA Server and have unchecked the option to allow remote connections to this server, yet I still get these remote attempts to connect to my SQL server. My SQL server is set to use windows authentication.

How do I block them? Nobody will need to connect to this SQL server remotely.
.

Relevant Pages

  • [NT] Microsoft SQL Server 2000 Unauthenticated System Compromise
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft's database server SQL Server 2000 exhibits two buffer-overrun ... clients connecting to TCP port 1433 or both. ... This message is a single byte packet, ...
    (Securiteam)
  • Re: Is there any way to prevent hacker trying to guess sa password?
    ... and port 1433 will not be open. ... If someone can crash SQL Server by connecting to port 1433, ... You don't need multiple security experts. ...
    (microsoft.public.sqlserver.security)
  • Re: Connecting to an instance in a cluster
    ... You will need to use the SQL Server Configuration Manager to set a static port for each named instance. ... >> is the virtual server enabled for remote connections? ...
    (microsoft.public.sqlserver.clustering)
  • Re: Accessing sql server
    ... port, select All ports, in Remote port, select Fixed port and input 1433 ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... | I have now checked and I can access the sql server when creating an ODBC ...
    (microsoft.public.windows.server.sbs)
  • Re: How to connect a workstation to SQL Server 2005 thru ODBC?
    ... and open the port in the Windows XP ... Welcome to the Getting Started with the Database Engine tutorial. ... Connecting to the Database Engine ... Either SQL Server Management Studio or Management Studio Express. ...
    (microsoft.public.sqlserver.connect)