patternMinor
SQL Server 2012 - SA account probe
Viewed 0 times
2012sqlaccountprobeserver
Problem
On one of my servers (Win 2012 R2), SQL Server 2012 is constantly under attack with the SA account being hit like 10 times per second with different passwords. I don't have an SA account but still I would like to stop this probing as its probably consuming resources. I keep checking the logs and blocking the offending IPs at firewall level manually, still I would like a better solution. SQL Server runs locally with IIS to serve its websites, I only need to connect to SQL Server remotely for database development with SSMS, so at first I thought setting up a VPN but not sure if this is going to play well with SSMS and other services like FTP. As in interim solution where can I stop SQL Server from being visible to the outside world at the firewall by disabling port 1433, or elsewhere? I can then enable/disable this when developing and perhaps just for my IP. Thanks.
Solution
So the IIS on this server is intended to be externally accessible from your internal data network but the SQL Server instance on this same server is not meant to allow for external connections except for only through the web interfaces of your applications, correct?
If so, then is not adding an explicit rule in the Windows Firewall on this server to allow only the private IP address ranges to connect via local network on SQL Server ports not acceptable? I assume you trust your internal IP addresses on this port and don't suspect those as the authentication attempts with malicious intent?
Allow the [localhost IP] IIS apps to authenticate to SQL (may need to check site bindings, etc. and/or setup internal DNS pointers too).
On your external side, you should only be allowing the port 80 or 443 to port forward/NAT to the IIS server on those ports only and not all ports too it I would think -- stop at corporate firewall too I guess and only allow the web app ports to go to that server from the external interface with your firewall appliance proxies, etc.
If so, then is not adding an explicit rule in the Windows Firewall on this server to allow only the private IP address ranges to connect via local network on SQL Server ports not acceptable? I assume you trust your internal IP addresses on this port and don't suspect those as the authentication attempts with malicious intent?
Allow the [localhost IP] IIS apps to authenticate to SQL (may need to check site bindings, etc. and/or setup internal DNS pointers too).
On your external side, you should only be allowing the port 80 or 443 to port forward/NAT to the IIS server on those ports only and not all ports too it I would think -- stop at corporate firewall too I guess and only allow the web app ports to go to that server from the external interface with your firewall appliance proxies, etc.
Context
StackExchange Database Administrators Q#111347, answer score: 7
Revisions (0)
No revisions yet.