Solved

SBS2003 ISA, Need to close 1433 due to hacking

Posted on 2007-12-02
3
476 Views
Last Modified: 2010-04-21
I have a bit of a dilema; I am running SBS2003 with ISA2004. The SBS SQL Server is hosting an application over port 1433 of which is redirected by ISA to a SQL Server 2005 installation. I have a rather long list of IP addresses that have attempted  to break-in using the SA account user/password. As I have noted the breakin attempt, I have added the IP address to a Hacker Network Interface created in ISA to deny access to the network.

Aside from neutering the SA username & password any suggestions within ISA to stop or mitigate the threat? I thought of assigning a different port but that seems to be a short-term solution.

Any suggestions would be welcome.

Tim
0
Comment
Question by:TimPeer
3 Comments
 
LVL 9

Accepted Solution

by:
the_b1ackfox earned 300 total points
ID: 20394569
Why not set up a rule which only accepts 1433 from whatever the ipaddress is of the application?  Like if you have a website then only accept sql from that website (an make sure that the code on the webserver is safe from injection attacks)
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 200 total points
ID: 20395181
I would agree that the above is the common sense approach assuming your scenario allows you to dictate or limit access to certain addresses. ie if this is a public service then you are unlikely to be able to lock it down in this way.

On the assumption that this is a publicly available service (you cannot lock it down to single sources):
Are you sure this is a hack attempt? For example, I run a number of services that are publicly accessible including a Sharepoint portal that has an SQL end to it. The vast majority of what could be called non-authorised access attempts are actually the result of being hit by a port scan rather than a concverted attack on the port.

As you say, changing the port number is a short-term fix plus you would have to tell all the normal users that you had changed the port also as they would need to change the client access to meet the new port number.

The fact that you are opening the port for access at all means you will always be more vulnerable than if you closed down the public access completely - this being the case, all you can really do is ensure the password is suitably strong.
0
 

Author Closing Comment

by:TimPeer
ID: 31412279
Thanks you for your response. Solutions are actually simpler than they appear at first glance. I will obtain the IP address ranges and lock down 1433 for all except the range. Although the first response is the chosen response and since I intend to implement SP, I think it fair to distribute points.

Thanks again!
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TSQL query to generate xml 4 34
CPU high usage when update statistics 2 30
Tsql query 6 22
SQL Server Error 21 8 24
Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
I have a large data set and a SSIS package. How can I load this file in multi threading?
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question