Windows 2003 blocking port 1433 outside

Hi experts,

I have a windows 2003 standard server that has a sql server and IIS installed, 2 NICs (one for the local network, one for the internet with a public IP)

I'm getting a lot of "Login failed for user admin" from the SQL Profiler and the event viewer. First they were a few by minute, now I have about 5 to 10 by second!

If I run netstat -a -o it's what I have:
...
 TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5325  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5456  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5625  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5731  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5782  TIME_WAIT       0
  TCP    rbaxter02:ms-sql-s     ecostumeshop.com:5841  TIME_WAIT       0
...

I thinks it's a kind of process scanning the sql server port. I'd like to know if I can disable port 1433 (I think it's the quickier solution) only for outside requests, my local clients (aspx pages, sql analyzer, database manager) shouldn't  be affected.

I was about to test tcp/ip filtering but I think it will block port 1433 for local apps too.

Do you want how to configure security on this server without install an additional firewall software? is ICF (Internet Connection Firewall) that comes with windows 2003 a good option?
CARLOSVILLACRIZAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wesly_chenCommented:
Hi,
 ICF is ok. There is another free firewall (Sygate )
http://www.uant.net/downloads/spf.exe

Wesly
0
TMWSIYCommented:
You need to get your server off the internet!!

Hackers can always "get" to your external device.  A software firewall will leave your server on the internet but hopefully protected.  I recommend you use a hardware firewall such as www.ipcop.org.

IpCop is a very good firewall that is easy to use and configure and it free!

With that said you should open your SQL 2000 Server manager and right click on your database under the SQL Server Group.  Select properties and click on the Connections tab.  At the bottom uncheck the box that says "Allow other SQL Servers to connect remotely to this SQL Server using RPC".  This will cause you problems if you need to execute remote stored procedures but from the sounds of it you should be ok.  I have never tried this becuase I use that functionality.  If you do uncheck it and have problems you will need to re-enable.

in the interim you need to check this out:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/hnw_enable_firewall.asp

Hope this Helps
Trey
0
CARLOSVILLACRIZAuthor Commented:
Hi,

I configured ICF, but when I enabled it I can't access the website service from the internet, I enabled ports: 80 (web), 4899 (remote admin) and none of them work. I don't want to restart the server because I could lose contact with it.

The server has 2 NICs one for the internet and one for the LAN, do you think it's the problem?

Carlos V.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

wesly_chenCommented:
ICF is based on the NIC. So each NIC can has its own ICF setting.
When you enable ICF, there are a couple of options: FTP, SMTP, POP3, HTTP, HTTPS, remote desktop.
You can simply check the services you want to allow pass through ICF. HTTP and HTTPS is for web service.
By the way, remote desktop is port 3389. I don't know about port 4899.

Anyway, I agree with Trey that use the hardware firewall is much better and safer than software firewall.

Wesly
0
br4inphr33zeCommented:
I also agree with trey but I would suggest that you use a REAL hardware firewall, IPCop although a very good firewall is still a software firewall, a hardware firewall is some kind of cisco box etc which are alot better because the software is "burnt-in" it is alot harder to hack and change the internal software etc.
0
TMWSIYCommented:
br4inphr33ze,

IpCop is a hardware firewall.  Its a linux distro that you install on a dedicated box.  Its sole purpose is to protect the network on which it is installed.  It has most of the features of Cisco products but its free.  I needed a very configurable router/firewall for my corporate network since we do a lot of B2B and have specialized software.  I also need a DMZ, VPN and bandwidth throttling for 50 users.  I wanted something that said Cisco on it but it was thousands of dollars for this setup :(

I built the ipcop box out of parts from trashed pc's and it works great.  It basically has 3 different NIC's for Internal, External, and DMZ.  All nics are protected and only by explicitly defining rules can traffic pass back and forth.  

I had absolutely no Linux experience when I installed Ipcop.  Its very easy to install and use and they have a great mailing list that offers support.

They just released a new version that has an option for a 4th NIC to set up a wireless "Zone".  This Zone uses a VPN to access the ipcop machine so it is much more secure than WEP or WAP.

Check it out!!!--Its FREE!!
www.ipcop.org
Trey
0
TMWSIYCommented:
Having a multi-homed server should not cause you problems.

If you are at an external location port scan your server and see if port 1433 is open.  If it is, disable remote RPC access as I have instructed and rescan to see if its still open.

And please think about some kind of firewall....please.

Trey
0
CARLOSVILLACRIZAuthor Commented:
Hi experts,

I know why it isn't working, it's because one NIC is configured with multiple public IPs, so I read and ICF won't work in this situation. I'd like to test any software firewall (I hope free) that can work with multiple IPs.. it could be better if I wouldn't have to restart the server.

By the way if not sure if IpCop has a version to windows 2003, do you know that? is it reliable?

Carlos V.
0
TMWSIYCommented:

IpCop is its own OS.  You need to install it on extra computer and allow it to act as your gateway to the internet.  I built my out of an old k6-2 with 32MB of ram and it runs great.  I through in 3 old 3Com ISA 10mbit cards and was ready to go.  I also have multiple IPs and IpCop can take advatage of them.  

You will be hard pressed to find a free firewall that would fit your needs and run on W2003.  Zonealarm will not allow you to open ports unless you purchase the Pro edition and I'm not even sure if they have a W2003 version yet.

Good Luck
0
CARLOSVILLACRIZAuthor Commented:
Hi TMWSIY,

I don't have access physically to the server, I'm paying a dedicated hosting, so I won't be able to use another computer. I'm managing the server using Radmin V 2.2

Thanks,

Carlos V.
0
TMWSIYCommented:
Did you try port scanning and disableing the SQL RPC?
0
br4inphr33zeCommented:
Trey,
I think you are mistaken,
Hardware firewalling is when a piece of hardware like a Cisco router is used and when linux is used it automatically becomes software firewalling no matter if the box is dedicated
0
TMWSIYCommented:
lol

Cisco runs IOS and IOS is a peice of software!

What about Linksys routers?  They are a piece of hardware, like a cisco router, and they run a mod'ed version of linux...are they not a hardware firewall? :)

When you have a linux distro that serves as your PC or Server and you use iptables for packet filtering then yes it would be considered a software firewall.  A software firewall is just that.  A peice of software that runs on the machine they are protecting.  A hardware ware firewall, imho, is a dedicated hardware device that serves no purpose other than acting as a firewall/gatekeeper.

Either way  CARLOSVILLACRIZ needs to have one or the other:)

Trey
0
CARLOSVILLACRIZAuthor Commented:
ok, It's clear everything you say about the routers, but you're talking about using Linux?
I have a windows 2003 standard server, I access my hosting by using Radmin and remote desktop only.

Where I can disable SQL - RPC?  by now I'm worried about blocking 1433 inmediately (without turning of sql server and the public website) after a couple of days I could talk with my hosting provider to add firewall capabilities to it. I think I'll have to decide considering the costs of each alternative.

Thanks a lot,

Carlos V.
0
CARLOSVILLACRIZAuthor Commented:
Hi,

By the way I've already disabled the option: "Allow other SQL Servers to connect remotely to this SQL Server using RPC" and the events of "login failed" continue appearing, is this the option to disable SQL RPC right?

Carlos V.
0
TMWSIYCommented:
OIC,

A linux solution is not possible :)

If you admin the SQL server remotley you might have problems if you disable the RPC.  You will not be able to connect to the SQL server using a remote machine and Server manager.  I'm havent used radmin but if it gives you local access to the box you can still use the LOCAL SQL server manager to modify and admin the SQL server.

With that said you should open your SQL 2000 Server manager and right click on your database under the SQL Server Group.  Select properties and click on the Connections tab.  At the bottom uncheck the box that says "Allow other SQL Servers to connect remotely to this SQL Server using RPC".  This will cause you problems if you need to execute remote stored procedures but from the sounds of it you should be ok. Does your website allow public access to the SQL server from your webpages?

Trey


0
TMWSIYCommented:
It seems that microsofts awnser is block it at the firewall?

I'm not aware of a software firewall that works with muiti IP's but you need to find one!  Sorry I cant be of more help :(

At the least I would change the default port of SQL.  Since your not using it, it should not cause problems.  Change it to 61263 or something and at will reduce your login attempts.  Be sure your patched to the hilt!  SQL SP3 is a good place to start but I would also run MSBSA and make sure your up to date on all your patches.  As long as your server is exposing port 1433 the slammer virus will keep filling up your logs :(

Trey

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CARLOSVILLACRIZAuthor Commented:
ok TMWSIY!, changing the port won't affect the aspx that accesses the DB?

So Will I need only to modify the port in the SQL Server Client Network Utility right?

Carlos V.
0
TMWSIYCommented:
I'm not sure how your aspx forms connect to the db?  If your using a DSN you sould be ok.

goto SQL Server Properties--General Tab
Click on Network Configuration
Select TCP/IP
Update Port Number
Restart SQL Server
Update clients to point to the new port number.

0
TMWSIYCommented:
Be sure you test your aspx pages as soon as you restart your SQL server.  If they dont work you will have to change it back to 1433 and then restart again.  At that point we will need to look into other options.  It would be a pain to change all your aspx pages unless you use  a connection function in all your pages so you only have to change it in one place...


Let us know :)
0
CARLOSVILLACRIZAuthor Commented:
Hi TMWSIY,

I only had to setup values in the client network utility with the new port. aspx are working ok.

Thanks for your help I'm giving points to you.

Carlos V.
0
TMWSIYCommented:
Glad to be of help Carlos, but you really need to find a firewall that fits your needs and close down those ports :)

I'll keep my eye out.

Trey
0
CARLOSVILLACRIZAuthor Commented:
ok TMWSIY, I know I'll have to find a firewall solution soon, changing this port give me a couple more days to find which will be the adecuate..

Carlos V.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.