There's an acronym missing that could help you here - "ISA". Why are you publishing your SQL to the Internet? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ <http://isaserver.org/Jim_Harrison/> http://isatools.org <http://isatools.org/> Read the help / books / articles! ------------------------------------------------------- ________________________________ From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] Sent: Tuesday, September 06, 2005 12:13 To: [ISAserver.org Discussion List] Subject: [isalist] SQL Server attack http://www.ISAserver.org The short version of the story is that an external attacker is attempting to log on to the instance of SQL Server that runs on my SBS2000 server more than once per second using brute force to try to guess the password for the sa or admin accounts. These fail because SQL is set only to use integrated security but the attempt fills up the Security log to the point that the server shuts down when the NT Security log overflows. I need help in blocking any external access to SQL Server. Here are the details: Platform: W2K sp4 with all MS updates and patches running SBS2000 with all updates and patches. Runs well with rarely a problem other than the one mentioned. SBS is configured to run in integrated mode. Server has an internal NIC for the LAN and an external one pointing to my ISP. Clients are Firewall Clients but client IE is configured to use Web Proxy. No problems with client access to the Internet. Clients are all XP Pro using the SBS Server as the DHCP server. No known DNS problems, internally or externally. Components: SQL Server 2000, ISA Server 2000, IIS. Exchange, Outlook and shared fax are NOT installed. The exact notice that appears in the server Security log is as follows: Event Type: Information Event Source: MSSQLSERVER Event Category: (4) Event ID: 17055 Date: 9/6/2005 Time: 7:03:11 AM User: N/A Computer: PCC1 Description: 18456 : Login failed for user 'sa'. Data: 0000: 18 48 00 00 00 00 00 00 .H...... 0008: 05 00 00 00 50 00 43 00 ....P.C. 0010: 43 00 31 00 00 00 07 00 C.1..... 0018: 00 00 6d 00 61 00 73 00 ..m.a.s. 0020: 74 00 65 00 72 00 00 00 t.e.r... Event Type: Information Event Source: MSSQLSERVER Event Category: (4) Event ID: 17055 Date: 9/6/2005 Time: 7:03:11 AM User: N/A Computer: PCC1 Description: 18456 : Login failed for user 'sql'. Data: 0000: 18 48 00 00 00 00 00 00 .H...... 0008: 05 00 00 00 50 00 43 00 ....P.C. 0010: 43 00 31 00 00 00 07 00 C.1..... 0018: 00 00 6d 00 61 00 73 00 ..m.a.s. 0020: 74 00 65 00 72 00 00 00 t.e.r... I note that SQL Server is configured to listen to the two external IP addresses bound to the external NIC. I am going to see if the SQL Server Admin program will allow me to change this to listen only to internal addresses. If this can be done it should solve the problem. But does anyone have a better idea based on ISA. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.