• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

SQL Server Under Attack

Even now and then I get flooded by a password crack hitting my sql port. I see the audits in the event log. I'd prefer not to keep blocking IP addresses of attackers one by one. Is there a way to stop this kind of attack more intelligently. Can SQL server stop responding to login attempts after so many failures? Would a Cisco firewall be smart enough to block such suspicious traffic?
0
elmoredaniel
Asked:
elmoredaniel
  • 5
  • 4
  • 3
1 Solution
 
Keith AlabasterCommented:
Can you give some more detail Dan?
What is your external firewall?
Do you allow any traffic through to the sql server anyway?
Is the server internal or on a DMZ?
0
 
elmoredanielAuthor Commented:
What is your external firewall?
I have none, I use IPSec to block IPs.

Do you allow any traffic through to the sql server anyway?
Yes, from other web servers.

Is the server internal or on a DMZ?
No, because this sql server is also functioning as webserver. It must be externally excessible.

Thanks!
0
 
Keith AlabasterCommented:
Then yes is the answer to your initial post.

Whether you used a hardware or software based firewall, you would be able to control the traffic to your SQL server.
The reality is that as soon as you opem any hole between the outside and inside there are risks. However, a firewall will mitigate the vast majority of known issues.

Something like a pix 501 is not expensive.

regards
Keith
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
elmoredanielAuthor Commented:
Can I control who has access to the server with just IPSec?
0
 
Keith AlabasterCommented:
I would say no as IP Sec only controls the ports; not the ip addresses.
0
 
elmoredanielAuthor Commented:
No, IPSec controls IP Address too. I just can't seem to figure out how to prioritize rules.
0
 
Keith AlabasterCommented:
Then we are looking at different things.
0
 
ahoffmannCommented:
> I have none, I use IPSec to block IPs.
IPSec has nothing to do with a firewall

I highly recommend that you use a firewall, best as its own device (router or whatever).
Also close your SQL port on the public IP and make it listen on localhost only, then configure your web server to connect to localhost. This makes it at least impossile to connect your SQL server directly.
0
 
elmoredanielAuthor Commented:
> IPSec has nothing to do with a firewall
Firewall: A gateway that limits access between networks in accordance with local security policy.

That's exactly what IPSec is doing.

Maybe I posted this question in the wrong section.
0
 
ahoffmannCommented:
> That's exactly what IPSec is doing.
not sure what you mean, probably we have different definitions of IPSec. I meant what you find in http://rfc.net/rfc2401.html

> Maybe I posted this question in the wrong section.
depends
if you want to protect your SQL server by a firewall, you're right here
if you want to do the protection without a firewall, the Security TA might be better
but as it might affect more topics, I'd suggest to leave it as is

Back to your question: did you make a decision where to place your SQL server?
0
 
elmoredanielAuthor Commented:
Okay, on the firewall (hardware) discussion then, aside from settting up a secure network and restricting access to ports, I wanted to know if a Cisco pix can detect mallicious traffic and block it automatically. Like detecting that 10 hits a second from 1 IP address is not normal traffic.
0
 
ahoffmannCommented:
> ..  pix can detect mallicious traffic and block it automatically.
even if a pix can detect something, I guess that it is not sufficient for SQL attacks, 'cause the (network) firewall does not work on application layer. For detecteing and preventing such attacks you need a web application firewall (WAF).
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now