MSSQL Server Attacks

Portal Home > Knowledgebase > Articles Database > MSSQL Server Attacks

Posted by sharepoint-hosting, 10-11-2009, 01:05 PM
I can see lot of MSSQL Server attacks. In event viewer "Login failed for user 'sa'. [CLIENT: Some IP]" Most of the attack coming from Chaina. Tipically what I'm doing manually is get that entire IP range and block from Windows Firewall level. Now I have plenty of blocked IP ranges all over the world. What would be the best way to avoid from those kind of attacks ?
Posted by TH-Guy, 10-11-2009, 01:09 PM
Everyone has this problem... whether it's apache being attacked, MySQL or in your case MSSQL. You need to find some form of protection, whether it be network DDoS protection, hardware firewall protection or software DoS/DDoS protection. If you block IP ranges all over the world you are undoubtedly going to have issues with real, non-malicious connections to your MSSQL. Protection is vital so that these attacks are controlled automatically and minimize the amount of valid (non-malicious) connections that are blocked.
Posted by khunj, 10-11-2009, 01:56 PM
Why is your SQL port open to the whole world ? Can't you simply limit its access at the firewall level (only to localhost + remote server(s), if any) ?
Posted by sharepoint-hosting, 10-11-2009, 02:19 PM
Their are customers who need remote access to the server.
Posted by kper05, 10-11-2009, 02:41 PM
Might want to consider a VPN solution for them. You will be bombarded by these incorrect logins and the standard sql injection attack I keep seeing on our IPS.
Posted by plumsauce, 10-12-2009, 02:38 AM
You absolutely need to use vpn or ssh port forwarding. The other way is to flip your firewall rules. Default deny. Open only where the source is acceptable. Or, only allow connections based upon certificates. Look in Books Online. The other two are much better though. You can also disable remote connections for SA.
Posted by sharepoint-hosting, 10-22-2009, 01:42 PM
Thanks for support