Announcement

Collapse
No announcement yet.

MSSQL attack

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • MSSQL attack

    Folks,

    one of my server is getting frequent false login requests from several IPs. Is it possible to block a particular IP using IPSec after a certain number of MSSQL login attempts?

    Any help would be much appreciated.

    Thank you
    Mohan Mathew[VU3MMU]
    MCITP [AD]

  • #2
    Re: MSSQL attack

    Hi,

    What SQL version is it? Are those IPs internal? Any other events logged in windows?
    What exactly do the logs say, does it look like a brute force attack or is it sporadic?
    At first thought I doubt IPsec could come handy but it all depends on the situation. A firewall rule or SQL attack prevention would probably be your best option but you need to identify the type of the attack first.
    Last edited by L4ndy; 26th August 2009, 10:05.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: MSSQL attack

      it is 2005. those are not internal IPs. It is a web server. All the requests are coming from out side our network. All the logs are about Login Failed. I can't allow MSSQL logins should happen from a particular IP since it is a web server and logins may come from any where. I hope my question make sense. I need to block IP if all the login attempts from that IP exceeds allowed limits or login re-entries.

      The attack is like it just comes from some proxy. I could see several login attempts targeting at 'sa'. If 100 attempts are coming from an IP, the next 100 would be from another IP, and so on. What I'm doing is just identifies each IPs and adding them to denied list! And it not seems much practical.
      Last edited by mohanmathew; 26th August 2009, 11:13. Reason: more ...
      Mohan Mathew[VU3MMU]
      MCITP [AD]

      Comment


      • #4
        Re: MSSQL attack

        I would make sure that the SA account is either disabled, renamed (made possible on sql 2005 although it may cause some problems i believe if you try to upgrade to 200 or alternatively make sure you have a long and complex password. Also control the attacks by blacklisting the IPs on the firewall.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: MSSQL attack

          yeah it is already disabled . But I need to avoid the attack. I have noticed the some times the CPU utilization also getting increased just because of attack.
          Mohan Mathew[VU3MMU]
          MCITP [AD]

          Comment


          • #6
            Re: MSSQL attack

            There are some serious problems in your setup. How is it that external ip addresses are able to make SQL connections to your internal SQL server? Is SQL server running on the same server that the web server is running on? what traffic (protocols) do you allow from the outside world to go to your web server? Do you have a hardware firewall protecting your network? Are these attacks initiated from the web site or are they direct attacks (port 1433) on SQL?

            Comment


            • #7
              Re: MSSQL attack

              It is a web server kept in a DC with an external IP address. What I mean is the attacks are not happening from any of the servers inside the DC. Does it makes sense? DC have a firewall device and the port for MSSQL to this server is opened to allow connections from websites users. MSSQL is hosted on the same server.
              Mohan Mathew[VU3MMU]
              MCITP [AD]

              Comment


              • #8
                Re: MSSQL attack

                Originally posted by mohanmathew View Post
                It is a web server kept in a DC with an external IP address. What I mean is the attacks are not happening from any of the servers inside the DC. Does it makes sense? DC have a firewall device and the port for MSSQL to this server is opened to allow connections from websites users. MSSQL is hosted on the same server.
                It's actually getting worst. It is not recommended to have certain server roles configured (especially web servers) on the DC from the security perspective I would suggest you think about splitting them before your AD is compromised (If not already done so).

                Cheers
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: MSSQL attack

                  We are not using AD authentication. All the authentications are configured using some kind of web control panel.
                  Mohan Mathew[VU3MMU]
                  MCITP [AD]

                  Comment


                  • #10
                    Re: MSSQL attack

                    Yeah, this is bad. A web user should have access to the web site only, not the SQL server. The web site "code" (asp, asp.net, etc.) should be accessing the SQL server. Users shouldn't be allowed to access the SQL server directly. Also, the fact that the server is a DC makes it even worse. The integrity of your entire AD infrastructure is at risk. My recommendation would be to move the web site and SQL to a new server, get the current server out of the DMZ, and change your firewall to allow only HTTP traffic to the web server.

                    Can you give us more detail on how and why the users need access to the SQL server instead of access to the web site only. Normally users access a web site (HTTP) and the web page(s) access the backend databases via the code in the web pages. Users generally never access the backend resources directly.

                    Comment


                    • #11
                      Re: MSSQL attack

                      yes, websites users are not allowed to access the database. It is directly accessed via codes. But the websites owners who creates and maintenance there own DB in our db server[web server] requires to access server using Management Studio.
                      Mohan Mathew[VU3MMU]
                      MCITP [AD]

                      Comment


                      • #12
                        Re: MSSQL attack

                        Folks,

                        I found a workaround. Created a script to catch the IPs and to insert them into IPSec. I'm using vbscript for this purpose. But I'm not sure how to insert those IPs to > netsh ipsec command! If I make those IPs as environment variables, will it work ?


                        moderators, this should be scripting section?
                        Last edited by mohanmathew; 4th September 2009, 05:45.
                        Mohan Mathew[VU3MMU]
                        MCITP [AD]

                        Comment


                        • #13
                          Re: MSSQL attack

                          Done!

                          I have modified the script to add IPs to IPSec. Formating it now, will post it here once got completed.
                          Mohan Mathew[VU3MMU]
                          MCITP [AD]

                          Comment


                          • #14
                            Re: MSSQL attack

                            Still though I've to concur with Joeqwerty and Landy.
                            A webserver placed in a DMZ should only run IIS, Apache or an other Web server software. Nothing else.

                            The SQL servers and DC's shouldn't be located on the same server but in a backend environment.

                            Also I don't know what firewall you have in front, but actually you should only allow port 80 and/or 443 to the webserver IP address.
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: MSSQL attack

                              Marcel,

                              It is shared webserver, not a corporate. I can understand the possibility of vulnerability that can happen. The filtered ports on server are 80/443/webcontrolpanel/mssql. The DC using some kind of Hardware firewall. I'm not much sure about the make and all. What ever it is, attacks happening from several IPs. I'm using IPSec instead of firewall and much impressed on its performance also. The script which developed now catches all the IPs who are trying penetrate through mssql port at very frequent intervals and will add to IPSec filter rule. I'm still closely watching the server and the services.
                              Mohan Mathew[VU3MMU]
                              MCITP [AD]

                              Comment

                              Working...
                              X