?
Solved

Windows 2003 blocking port 1433 outside

Posted on 2004-11-03
23
Medium Priority
?
384 Views
Last Modified: 2008-03-17
Hi experts,

I have a windows 2003 standard server that has a sql server and IIS installed, 2 NICs (one for the local network, one for the internet with a public IP)

I'm getting a lot of "Login failed for user admin" from the SQL Profiler and the event viewer. First they were a few by minute, now I have about 5 to 10 by second!

If I run netstat -a -o it's what I have:
...
 TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5325  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5456  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5625  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5731  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5782  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5841  TIME_WAIT       0
...

I thinks it's a kind of process scanning the sql server port. I'd like to know if I can disable port 1433 (I think it's the quickier solution) only for outside requests, my local clients (aspx pages, sql analyzer, database manager) shouldn't  be affected.

I was about to test tcp/ip filtering but I think it will block port 1433 for local apps too.

Do you want how to configure security on this server without install an additional firewall software? is ICF (Internet Connection Firewall) that comes with windows 2003 a good option?
0
Comment
Question by:CARLOSVILLACRIZ
  • 11
  • 8
  • 2
  • +1
23 Comments
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12485905
Hi,
 ICF is ok. There is another free firewall (Sygate )
http://www.uant.net/downloads/spf.exe

Wesly
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12486745
You need to get your server off the internet!!

Hackers can always "get" to your external device.  A software firewall will leave your server on the internet but hopefully protected.  I recommend you use a hardware firewall such as www.ipcop.org.

IpCop is a very good firewall that is easy to use and configure and it free!

With that said you should open your SQL 2000 Server manager and right click on your database under the SQL Server Group.  Select properties and click on the Connections tab.  At the bottom uncheck the box that says "Allow other SQL Servers to connect remotely to this SQL Server using RPC".  This will cause you problems if you need to execute remote stored procedures but from the sounds of it you should be ok.  I have never tried this becuase I use that functionality.  If you do uncheck it and have problems you will need to re-enable.

in the interim you need to check this out:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/hnw_enable_firewall.asp

Hope this Helps
Trey
0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12489519
Hi,

I configured ICF, but when I enabled it I can't access the website service from the internet, I enabled ports: 80 (web), 4899 (remote admin) and none of them work. I don't want to restart the server because I could lose contact with it.

The server has 2 NICs one for the internet and one for the LAN, do you think it's the problem?

Carlos V.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:wesly_chen
ID: 12491064
ICF is based on the NIC. So each NIC can has its own ICF setting.
When you enable ICF, there are a couple of options: FTP, SMTP, POP3, HTTP, HTTPS, remote desktop.
You can simply check the services you want to allow pass through ICF. HTTP and HTTPS is for web service.
By the way, remote desktop is port 3389. I don't know about port 4899.

Anyway, I agree with Trey that use the hardware firewall is much better and safer than software firewall.

Wesly
0
 

Expert Comment

by:br4inphr33ze
ID: 12491628
I also agree with trey but I would suggest that you use a REAL hardware firewall, IPCop although a very good firewall is still a software firewall, a hardware firewall is some kind of cisco box etc which are alot better because the software is "burnt-in" it is alot harder to hack and change the internal software etc.
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12493002
br4inphr33ze,

IpCop is a hardware firewall.  Its a linux distro that you install on a dedicated box.  Its sole purpose is to protect the network on which it is installed.  It has most of the features of Cisco products but its free.  I needed a very configurable router/firewall for my corporate network since we do a lot of B2B and have specialized software.  I also need a DMZ, VPN and bandwidth throttling for 50 users.  I wanted something that said Cisco on it but it was thousands of dollars for this setup :(

I built the ipcop box out of parts from trashed pc's and it works great.  It basically has 3 different NIC's for Internal, External, and DMZ.  All nics are protected and only by explicitly defining rules can traffic pass back and forth.  

I had absolutely no Linux experience when I installed Ipcop.  Its very easy to install and use and they have a great mailing list that offers support.

They just released a new version that has an option for a 4th NIC to set up a wireless "Zone".  This Zone uses a VPN to access the ipcop machine so it is much more secure than WEP or WAP.

Check it out!!!--Its FREE!!
www.ipcop.org
Trey
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12493022
Having a multi-homed server should not cause you problems.

If you are at an external location port scan your server and see if port 1433 is open.  If it is, disable remote RPC access as I have instructed and rescan to see if its still open.

And please think about some kind of firewall....please.

Trey
0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12496091
Hi experts,

I know why it isn't working, it's because one NIC is configured with multiple public IPs, so I read and ICF won't work in this situation. I'd like to test any software firewall (I hope free) that can work with multiple IPs.. it could be better if I wouldn't have to restart the server.

By the way if not sure if IpCop has a version to windows 2003, do you know that? is it reliable?

Carlos V.
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12496157

IpCop is its own OS.  You need to install it on extra computer and allow it to act as your gateway to the internet.  I built my out of an old k6-2 with 32MB of ram and it runs great.  I through in 3 old 3Com ISA 10mbit cards and was ready to go.  I also have multiple IPs and IpCop can take advatage of them.  

You will be hard pressed to find a free firewall that would fit your needs and run on W2003.  Zonealarm will not allow you to open ports unless you purchase the Pro edition and I'm not even sure if they have a W2003 version yet.

Good Luck
0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12496377
Hi TMWSIY,

I don't have access physically to the server, I'm paying a dedicated hosting, so I won't be able to use another computer. I'm managing the server using Radmin V 2.2

Thanks,

Carlos V.
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12496408
Did you try port scanning and disableing the SQL RPC?
0
 

Expert Comment

by:br4inphr33ze
ID: 12500855
Trey,
I think you are mistaken,
Hardware firewalling is when a piece of hardware like a Cisco router is used and when linux is used it automatically becomes software firewalling no matter if the box is dedicated
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12503656
lol

Cisco runs IOS and IOS is a peice of software!

What about Linksys routers?  They are a piece of hardware, like a cisco router, and they run a mod'ed version of linux...are they not a hardware firewall? :)

When you have a linux distro that serves as your PC or Server and you use iptables for packet filtering then yes it would be considered a software firewall.  A software firewall is just that.  A peice of software that runs on the machine they are protecting.  A hardware ware firewall, imho, is a dedicated hardware device that serves no purpose other than acting as a firewall/gatekeeper.

Either way  CARLOSVILLACRIZ needs to have one or the other:)

Trey
0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12504137
ok, It's clear everything you say about the routers, but you're talking about using Linux?
I have a windows 2003 standard server, I access my hosting by using Radmin and remote desktop only.

Where I can disable SQL - RPC?  by now I'm worried about blocking 1433 inmediately (without turning of sql server and the public website) after a couple of days I could talk with my hosting provider to add firewall capabilities to it. I think I'll have to decide considering the costs of each alternative.

Thanks a lot,

Carlos V.
0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12504221
Hi,

By the way I've already disabled the option: "Allow other SQL Servers to connect remotely to this SQL Server using RPC" and the events of "login failed" continue appearing, is this the option to disable SQL RPC right?

Carlos V.
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12504231
OIC,

A linux solution is not possible :)

If you admin the SQL server remotley you might have problems if you disable the RPC.  You will not be able to connect to the SQL server using a remote machine and Server manager.  I'm havent used radmin but if it gives you local access to the box you can still use the LOCAL SQL server manager to modify and admin the SQL server.

With that said you should open your SQL 2000 Server manager and right click on your database under the SQL Server Group.  Select properties and click on the Connections tab.  At the bottom uncheck the box that says "Allow other SQL Servers to connect remotely to this SQL Server using RPC".  This will cause you problems if you need to execute remote stored procedures but from the sounds of it you should be ok. Does your website allow public access to the SQL server from your webpages?

Trey


0
 
LVL 6

Accepted Solution

by:
TMWSIY earned 2000 total points
ID: 12504404
It seems that microsofts awnser is block it at the firewall?

I'm not aware of a software firewall that works with muiti IP's but you need to find one!  Sorry I cant be of more help :(

At the least I would change the default port of SQL.  Since your not using it, it should not cause problems.  Change it to 61263 or something and at will reduce your login attempts.  Be sure your patched to the hilt!  SQL SP3 is a good place to start but I would also run MSBSA and make sure your up to date on all your patches.  As long as your server is exposing port 1433 the slammer virus will keep filling up your logs :(

Trey

0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12504551
ok TMWSIY!, changing the port won't affect the aspx that accesses the DB?

So Will I need only to modify the port in the SQL Server Client Network Utility right?

Carlos V.
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12504598
I'm not sure how your aspx forms connect to the db?  If your using a DSN you sould be ok.

goto SQL Server Properties--General Tab
Click on Network Configuration
Select TCP/IP
Update Port Number
Restart SQL Server
Update clients to point to the new port number.

0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12504625
Be sure you test your aspx pages as soon as you restart your SQL server.  If they dont work you will have to change it back to 1433 and then restart again.  At that point we will need to look into other options.  It would be a pain to change all your aspx pages unless you use  a connection function in all your pages so you only have to change it in one place...


Let us know :)
0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12504757
Hi TMWSIY,

I only had to setup values in the client network utility with the new port. aspx are working ok.

Thanks for your help I'm giving points to you.

Carlos V.
0
 
LVL 6

Expert Comment

by:TMWSIY
ID: 12504787
Glad to be of help Carlos, but you really need to find a firewall that fits your needs and close down those ports :)

I'll keep my eye out.

Trey
0
 

Author Comment

by:CARLOSVILLACRIZ
ID: 12504882
ok TMWSIY, I know I'll have to find a firewall solution soon, changing this port give me a couple more days to find which will be the adecuate..

Carlos V.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question