| Author |
Topic |
|
chilluk
Starting Member
24 Posts |
 Posted - 2007-10-04 : 13:29:31
|
| I have SQL 2005 Express on a hosted webserver - the server is behind a provided firewall with port 1433 closed.In my event log I am getting hundreds of these :Login failed for user 'sa'. [CLIENT: 213.247.51.248]Event ID 18456They come thick and fast from the same IP.When I look in SQL Error Logs it's State 8 which seems to be invalid password - so it looks like someone probing the server to me.I can see a way in the firewall to block certain IP's.Anyone know a way I can lockdown the SQL, or the server (Packet Filtering?) to stop this? The server is hosted by 1&1 who aren't that hot with support on stuff like this.Any help greatly appreciated!! |
|
|
Haywood
Posting Yak Master
221 Posts |
Posted - 2007-10-04 : 13:56:08
|
| If the firewall is closed on 1433, someones probably already inside the network...Hope you have a good sa password (or the provider set one) and if you have any Dynamic SQL in your code, that it's validated properly before executing.Edit:Get a backup offsite quickly! |
 |
|
|
chilluk
Starting Member
24 Posts |
Posted - 2007-10-04 : 14:26:05
|
| Well 1433 was open but I shut it after I saw the events - my predecessor left it open for some reasonsa password is strong - I have disallowed access by sa in any case - it's mixed mode authentication so I can get in via local admin accountHave run a virus scan - nothing shows. I'm not sure if I think they are in - if they were why all the attempts - could a remote script be trying to connect through normal http ports?Any other advice for stopping this? |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2007-10-04 : 14:28:12
|
quote:
Well 1433 was open but I shut it after I saw the events - my predecessor left it open for some reason
So, after you shut down the port, are the events still occurring? If not, you should be all set.- Jeffhttp://weblogs.sqlteam.com/JeffS |
|
|
|
chilluk
Starting Member
24 Posts |
Posted - 2007-10-04 : 14:34:01
|
| Yes they are - when I checked from within the server using a port prober it said 1433 was closed.Errors now State 7 which is incorrect password and user disabled - because I disabled sa login I guess. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2007-10-04 : 14:36:08
|
| Are you using port 1433 for your SQL Server? If so, then that's a security problem. Any SQL Server that is external facing needs to use a custom port that is greater than 10000.And don't post your port here as that would be a security problem too. Just let us know if you are using 1433 or one higher than 10000.Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/ |
|
|
|
chilluk
Starting Member
24 Posts |
Posted - 2007-10-04 : 14:40:39
|
| Its using 1433 - can I config to use dynamic or should I pick a number? |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2007-10-04 : 14:45:22
|
| You should pick a number so that your applications can specify that in the connection string (or in an alias). I don't like relying on a client figuring out which dynamic port SQL is using, especially in our environment.Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/ |
|
|
|
chilluk
Starting Member
24 Posts |
Posted - 2007-10-04 : 14:48:55
|
| Cheers guys - it's stopped for the moment anyway. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2007-10-05 : 10:56:12
|
| Don't forget to change the applications to use your newly assigned, > 10,000, port numberKristen |
|
|
|
|
Possible attempted SQL Hack