Sunday, February 19, 2012

Attempted Brute Force Attacks

It is not uncommon for me to review the event logs of our SQL Server and notice that someone is attempting to figure out the password for one of the SQL user accounts.......especially the "sa" username. But lately our SQL server has to be rebooted to where it is starting to become a nightly thing.

Last night the SQL Server was bombarded with attempted failed connections for 2 hours before it finally gave a blank BSOD. The SQL Server in question is in mixed mode and is a shared server. Strictly using Windows Authentication mode is not an option for us. The server has "beefy" hardware and has all updates and patches.

Sometimes, when I log on the server and notice that an IP address is making such attacks on the server, I put up an IPSEC policy against that IP. But that is not a good solution for reasons I dont think need to be outlined here.

So my question is, what can I do to better protect our SQL Server from these types of attacks? My thought on these attacks is not different than a DDOS that eventually takes the server down.

I have already done TCP/IP Hardening but not sure what else to do.

Thank you all for your replies.That sounds like Blaster to me. First order of business, patch your server, preferably to sp3a.

Next, consider killing port 1434 (and maybe 1433) at your firewall. That means that your SQL Server won't be visible outside the firewall, so this might not be a viable solution.

-PatP|||1434 is NIC Filtered as well as protected by IPSEC and Firewall.

1433 cannot be blocked becuase this is a public SQL Server used by many of our clients.

I already scanned the machine for Blaster and it is not affected. But thank you very much for your reply.|||Another solution might be to implement some form of challenge-response mechanism. For instance, if the access to the SQL Server is via a web page, have that web page (or one of its predecessors) enable the specific IP or MAC address for port 1433 for some arbitrary period of time. If the access is via a two-tier client, use an RPC to do the same thing. This will effecitvely cut off your SQL Server from all but pre-approved machines, and it is much less cumbersome for the user than using VPN to acheive similar results.

-PatP
Posted by Sanders at 1:18 AM
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)