|
Home > Archive > MS SQL Server security > July 2005 > Port 1433 is open to internet, how can I secure db?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Port 1433 is open to internet, how can I secure db?
|
|
| pigeon 2005-06-23, 1:23 pm |
| Hello, in our application, we have to have our DB accessable over the
internet :/ and no VPN for each of the thousands of users isn’t
possible...
My question are:
-How can I secure this?
-What would be a good IDS system that would autoblock IPs that are
trying to bruteforce login (Since we are using SSL to encrypt our
traffic, this throws a rinch in all IDS systems I know)
-I have found some .sql scripts that help secure my db.. Since I will
be working with a lot of DB servers.. what are some more .sql scripts
that would help me secure my DBs?
thanks for any help!
Lee
--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/Security-Po...pict234899.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=814647
| |
| John Bell 2005-06-25, 8:23 pm |
| Hi
You should look at changing the port you are using and run the Baseline
Security Advisor. You should also look at using an intermediary broker
instead of direct connections or re-architecting the solution.
John
"pigeon" < UseLinkToEmail@dbFor
umz.com> wrote in message
news:4_814647_4ec32f
3a49b9f726524b1eb5dc
abe63b@dbforumz.com...
> Hello, in our application, we have to have our DB accessable over the
> internet :/ and no VPN for each of the thousands of users isn't
> possible...
>
> My question are:
>
> -How can I secure this?
> -What would be a good IDS system that would autoblock IPs that are
> trying to bruteforce login (Since we are using SSL to encrypt our
> traffic, this throws a rinch in all IDS systems I know)
> -I have found some .sql scripts that help secure my db.. Since I will
> be working with a lot of DB servers.. what are some more .sql scripts
> that would help me secure my DBs?
>
>
> thanks for any help!
> Lee
>
> --
> Posted using the http://www.dbforumz.com interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.dbforumz.com/Security-Po...pict234899.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.dbforumz.com/eform.php?p=814647
| |
| pigeon 2005-06-26, 8:23 pm |
| "John Bell" wrote:
>Hi
>
>You should look at changing the port you are using and run the
>Baseline
>Security Advisor. You should also look at using an intermediary
broker[color=darkred
]
>
>instead of direct connections or re-architecting the solution.
>
>John
>
>
>"pigeon" < UseLinkToEmail@dbFor
umz.com> wrote in message
> news:4_814647_4ec32f
3a49b9f726524b1eb5dc
abe63b@dbforumz.com...
>the
>isn’t
>are
>will
>scripts
>author’s request
>http://www.dbforumz.com/Security-Po...pict234899.html
>abuse:
Great suggestions!
I will definitly change port numbers.. and MBSA is installing now.
I am confused on this though:
"You should also look at using an intermediary broker
instead of direct connections or re-architecting the solution. "
what do you mean by this?
I have never heard of this before
thanks!
Lee
| |
| John Bell 2005-06-27, 3:23 am |
| Hi
Introducing some form of middle tier so you are not exposing the
database directly to the outside world, would make your application
significantly more secure and you will be able to control and monitor
it alot better.
John
pigeon wrote:
> "John Bell" wrote:
> broker
>
> Great suggestions!
>
> I will definitly change port numbers.. and MBSA is installing now.
>
> I am confused on this though:
>
> "You should also look at using an intermediary broker
> instead of direct connections or re-architecting the solution. "
>
> what do you mean by this?
>
> I have never heard of this before
>
>
> thanks!
> Lee
| |
| Hoof Hearted 2005-06-28, 7:23 am |
| Pardon me for jumping in...
I administer a few networks, all with Sql Server exposed to the outside
world on port 1433. I have never had any problems. If strong passwords are
in place, isn't sql server secure?
| |
| pigeon 2005-06-28, 8:23 pm |
| "" wrote:
> Pardon me for jumping in...
>
> I administer a few networks, all with Sql Server exposed to
> the outside
> world on port 1433. I have never had any problems. If strong
> passwords are
> in place, isn't sql server secure?
Good question...
Also, wouldn’t changing the port to something else.. add another layer
of security?
Because my logs are always full of people trying to login to
SA/power... and with worms targetting 1433.. I am a little scared of
opening my db up to the outside..
--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/Security-Po...pict234899.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=818998
| |
| Brian Kelley 2005-07-01, 3:23 am |
|
"pigeon" wrote:
> -What would be a good IDS system that would autoblock IPs that are
> trying to bruteforce login (Since we are using SSL to encrypt our
> traffic, this throws a rinch in all IDS systems I know)
Snort can run in IPS mode (Snort Inline) and is open source. There are also
commercial solutions like Cisco's which will be able to autoblock based on
rules you set up for # of alerts, etc.
| |
| pigeon 2005-07-02, 3:23 am |
| "Brian Kelley" wrote:
>"pigeon" wrote:
>
>
>Snort can run in IPS mode (Snort Inline) and is open source. There
are
>also
>commercial solutions like Cisco’s which will be able to
>autoblock based on
>rules you set up for # of alerts, etc.
Thanks for the suggestion.
I think I will setup this for my linux servers.
but for my win2k3 db servers:
My issues are:
1)All traffic will be encrypted.. Is there a way to still sniff this
(If I give the IDS program my certificate)
2)I need to do realtime autoblocking in windows.
--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/Security-Po...pict234899.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=822808
| |
| John Bell 2005-07-03, 7:23 am |
| Hi
Security is not only what is in-built into the product, your whole
organisation needs to be taken into account when considering how secure your
systems are. Although IDS systems and strong passwords may stop or hold off
recognised brute force attacks, they will not guard against social
engineering, mis-configuration or unknown security issues. This is not only
applies to SQL Server, but the OS and other software that is running on your
exposed server.
In this country your can by a wall safe that looks like and electical
socket. That does not stop a burgular kicking in all the electrical sockets
in the house. But if you put that safe on your outside wall, how long before
it was kicked in?
John
"Hoof Hearted" < HoofHearted@discussi
ons.microsoft.com> wrote in message
news:3EF88705-53A2-43D9-8B58- 5E375DDF7804@microso
ft.com...
> Pardon me for jumping in...
>
> I administer a few networks, all with Sql Server exposed to the outside
> world on port 1433. I have never had any problems. If strong passwords
> are
> in place, isn't sql server secure?
>
|
|
|
|
|