Wednesday, 10 December 2008
How to stop multiple login attempts against your sql server and other port specific server applications
Main | .PNG images not displaying in browser not caused by mime issue »
I've glad to be a contributor here on blogacause. My cause is simple, that being to provide coldfusion programmers a source of tips, tricks and hints that I've discovered over the years while coding cf. I've been programming coldfusion since it was Allaire and I consider it one of the finest application development platforms available for the world wide web. I also believe that its complimentary applications, flash and photoshop, single handedly changed the face of the web more than any other forces to impact the web.
So for my first entry I would like to help those of you who use MS SQL Server as your backend database. Ever notice the log files in sql server? Ever notice how they seem to have thousands of entries where a user called "sa" is trying to login in to a database? Oh wait, you didn't set that user as the owner of that particular database. A little cursory inspection further reveals that the ip which is making all of these thousands of requests is located in some asian country that you probably cannot pronounce.
Well good news for you. The following is the instruction set necessary to implement an IPSEC policy to block "all" those pesky data grabbing IP's
INSTRUCTIONS FOR ADDING AN IPSEC POLICY FOR BLOCKING IPs
Open the IP Security Policy MMC Snap-In
Start > Run > secpol.msc
- Right-click on the "IP Security Policies on Local Computer" icon > Create IP Security Policy
- Name it something descriptive, i.e.: "Block x.x.x.x from SQL" <Next>
- note: I used x.x.x.x to indicate all ips
- Uncheck "Activate default response rule" <Next>
- Leave "Edit properties" checked <Finish>
- Click Add <Next>
- This rule does not specify a tunnel <Next>
- All network connections <Next>
- Click Add
- NOTE - What you are specifying here is a range on IPs and ports to be included in this policy
- Name it something descriptive, i.e.: "All IPs, port 21" or "1.2.x.x, port 1433"
- Click Add <Next>
- Dont need to enter a descrption, keep "mirrored" checkbox checked <Next>
- Source > depends on what you are trying to do
- Most of the time you will block a specific IP address, or ALL
- YOU WANT TO BLOCK ALL
- Destination
- most of the time will just be "My ip address", select this.
- Protocol
- I selected TCP
- IP Protocol port
- I selected "From any port"
- Specify "TO" port for the service
- i.e.: 1433 for SQL, 21 for FTP, 25 for SMTP etc...
- When complete, choose the new filter list you just created <Next>
Filter Action screen
There are 3 filters in place by default, you will need to add a new filter for "Blocking" traffic
- Click Add <Next>
- Name the filter action something descriptive, i.e.: "Block traffic" <Next>
- Choose "Block" <Next>
- Finish
- Choose the filter action you have just created <Next>
- Uncheck "Edit Properties" <Finish>
- Click OK
Right-click on the policy you have just created, then choose "Assign"
Hope this helps....
Technorati Tags: sql server port blocking IPSEC multiple login attempts
[Trackback URL for this entry]
