Questions

Windows 2003 and SQL 2005 Attacks

+
0 Votes
Locked

Windows 2003 and SQL 2005 Attacks

kbrindle2002
Hey all,
I have a Windows 2003 Server: standard 64 bit version on a DELL PowerEdge 2850. We have SQL 2005 (No SP1 on that yet, but testing still)..lately the box has been getting hit big time, so many failed login audits in the security log that I have given up counting. Traced the IP's, some in russia, netherlands, china, etc..but Cisco recommended I just block the individual IPs on the firewall. I don't know about you guys but there has got to be an easier way to protect our SQL server!! I am an MCP working on her MCSE but security is still rather new to me and there are sooo many articles out there... so any "step-by-step hand holding" guides will be welcomed!!

here is an example of what is going on using sysinternal tool tcpview (keep in mind that this is only a sampling, there are over 264 more rows of the same..obviously an attack..but not sure what to do..and yes I know it's from a German ISP..not sure if I can contact them or not...)


[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10016
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10110
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10305
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10615
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10819
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10823
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10843
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:10970
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11144
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11205
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11251
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11453
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11604
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11700
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11753
[System Process]:0 TCP sql001:ms-sql-s wc-133.r-195-35-218.essentkabel.com:11914
  • +
    0 Votes
    HAL 9000 Moderator

    Nothing appears to be getting through so from that point of view you are doing OK.

    If you just simply have to use Windows then the advice from Cisco is about your only option as the router is effectively a Linux Box protecting your internal system.

    Personally I would be looking at fitting a Linux Box between your main internal system and the outside world something like Snap Linux with Trustifier would be ideal as it's so far proven unbreakable and it's extremely easy to administer.

    The other thing to remember is that because you can see the IP Address doesn't mean that this is the originating point of he attack the attempt could be bounced off another ISP Server around the world to throw you off the track and could be coming from the next door neighbour or for that matter anywhere else in the world.

    Since this looks like a concerted attack just blocking off the IP Addresses will not cure the problem so you need to do something about the problem before access is gained to the Server which is relatively easy to break like every Windows Product. Now for the solution this depends on just how far you are prepared or allowed to go it may involve fitting a Better Cisco Router that is far more robust or going the whole hog and totally isolating all your Windows Products from direct connection to the Net through a separate box running some different OS that is harder to break into.

    Col

  • +
    0 Votes
    HAL 9000 Moderator

    Nothing appears to be getting through so from that point of view you are doing OK.

    If you just simply have to use Windows then the advice from Cisco is about your only option as the router is effectively a Linux Box protecting your internal system.

    Personally I would be looking at fitting a Linux Box between your main internal system and the outside world something like Snap Linux with Trustifier would be ideal as it's so far proven unbreakable and it's extremely easy to administer.

    The other thing to remember is that because you can see the IP Address doesn't mean that this is the originating point of he attack the attempt could be bounced off another ISP Server around the world to throw you off the track and could be coming from the next door neighbour or for that matter anywhere else in the world.

    Since this looks like a concerted attack just blocking off the IP Addresses will not cure the problem so you need to do something about the problem before access is gained to the Server which is relatively easy to break like every Windows Product. Now for the solution this depends on just how far you are prepared or allowed to go it may involve fitting a Better Cisco Router that is far more robust or going the whole hog and totally isolating all your Windows Products from direct connection to the Net through a separate box running some different OS that is harder to break into.

    Col