Re: SQL Server attack
- From: Dogers <dogers@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 6 Sep 2005 20:30:57 +0100
Well, the first thing you need to do is block ports 1433 and 1434 in
ISA.. The second thing you should do is find out who opened them in
the first place!
I've not used the SQL Server network util in a while.. Can't remember
if you can tell it to not listen on the external IP's there. Give that
a check too!
Andrew
On 06/09/05, Peter W. Merner <pmerner@xxxxxxxxxxxxx> wrote:
> http://www.ISAserver.org
> The short version of the story is that an external attacker is attempting to
> log on to the instance of SQL Server that runs on my SBS2000 server more
> than once per second using brute force to try to guess the password for the
> sa or admin accounts. These fail because SQL is set only to use integrated
> security but the attempt fills up the Security log to the point that the
> server shuts down when the NT Security log overflows. I need help in
> blocking any external access to SQL Server. Here are the details:
> I note that SQL Server is configured to listen to the two external IP
> addresses bound to the external NIC. I am going to see if the SQL Server
> Admin program will allow me to change this to listen only to internal
> addresses. If this can be done it should solve the problem. But does anyone
> have a better idea based on ISA.
Other related posts:
