April 21, 2010 at 9:49 am
Ok, I have an elaborite firewall at my disposal at the isp, also in between my server and the internet. I've never activated it, because all the ports I have enabled on the server I need access to from the internet. I'm not going to use the IP range blocking either, so I'm not sure what the firewall will offer. I'll have a chat with a network specialist friend of mine and see what he comes up with.
April 21, 2010 at 9:59 am
That sounds like a plan..
CEWII
April 21, 2010 at 10:06 am
I'm not going to use the IP range blocking either, so I'm not sure what the firewall will offer.
Now if you're saying that the firewall is not going to solve the whole problem, then I would agree. If you're saying you won't utilize IP blocking whatsoever even though you are currently under attack then you just sound stubborn. Or are you thinking that one of your clients may want to connect from the house of the kid trying to hack you?
Realize that nothing is 100% secure. There are always vulnerabilities. Security is a matter of making it difficult to the point that the kids move on to other targets. IP blocking is part of that strategy, it's incredibly easy and it has no downside.
April 21, 2010 at 10:20 am
Now if you're saying that the firewall is not going to solve the whole problem, then I would agree. If you're saying you won't utilize IP blocking whatsoever even though you are currently under attack then you just sound stubborn. Or are you thinking that one of your clients may want to connect from the house of the kid trying to hack you?
Realize that nothing is 100% secure. There are always vulnerabilities. Security is a matter of making it difficult to the point that the kids move on to other targets. IP blocking is part of that strategy, it's incredibly easy and it has no downside.
😀 I have been called stubborn.
What I'm saying is that IP blocking is useless for me, since my clients could connect from any IP range, world wide.
April 21, 2010 at 10:25 am
hein-1120388 (4/21/2010)
Now if you're saying that the firewall is not going to solve the whole problem, then I would agree. If you're saying you won't utilize IP blocking whatsoever even though you are currently under attack then you just sound stubborn. Or are you thinking that one of your clients may want to connect from the house of the kid trying to hack you?
Realize that nothing is 100% secure. There are always vulnerabilities. Security is a matter of making it difficult to the point that the kids move on to other targets. IP blocking is part of that strategy, it's incredibly easy and it has no downside.
😀 I have been called stubborn.
What I'm saying is that IP blocking is useless for me, since my clients could connect from any IP range, world wide.
That may be true but you can still use IP blocking to kill a specific offender without killing your customers.
CEWII
April 21, 2010 at 10:39 am
That may be true but you can still use IP blocking to kill a specific offender without killing your customers.
The attacker's IP varies over time. I need less maintenance from my apps, not more :/
April 21, 2010 at 10:42 am
Here is a question for you, have any of your clients (customers) connected from any of those IP addresses that have attacked you??
April 21, 2010 at 10:43 am
hein-1120388 (4/20/2010)
Thanks. Seems a glaring hole in functionality though :/I'll have to look at the firewall route for blocking the ranges, but then some clients connect from anywhere in the world !
I disagree on the hole in functionality. It is open to the internet - people will attack it from the internet no matter what functionality you implement in the server product itself. That is why there are firewalls, routers, exclusion lists, routing tables and the like.
The best solution, most secure, is to permit your clients to only access the server via vpn. You could also establish an IP tunnel (basically a vpn through the cloud) to their network.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
April 21, 2010 at 10:46 am
hein-1120388 (4/21/2010)
It's not a hole in functionality. Generally your network architechture would provide the security layer that you require. Provided the same thing in SQL Server would be redundant, especially since a great deal of SQL Server implementations are never exposed externally.
You might find simple network security features in other databases, like IP blocking, but they will never be as robust as a firewall or VPN. This is true for all databases. Databases provide security features, but they are not security tools.
I beg to differ. Banning a failed login attempt from an IP for a while is something a firewall cannot do. It's definately a security feature to protect itself. It's an elemetary feature available in FTP servers, SSH servers and others since the 80s. There's such a focus on security in Microsoft, yet this simple measure would prevent the bulk of breaches.
Actually there are many firewalls that can block certain users access. You can also block IP ranges.
FTP is in way a secure service - not even SFTP, dangerous protocol and frequently hacked.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
April 21, 2010 at 10:46 am
You understand there are two methods to IP blocking?
1. Block everything and only specifically allow access by specific IP addresses.
2. Leave everything open by default. Take a look at your logs and see millions of logon attempts from one IP address. Block the subnet of that address so he can't even try any more without additional effort on his part. Keep looking at the logs, chances are that he might try from another IP subnet. Keep blocking these subnets as that happens. There is about a 99% chance he'll give up within 10 iterations (probably many less) and then you're done with that particular kid forever. If you don't block him, nothing else you do will matter, he'll keep at your server because you've made it such an easy target.
Again, IP blocking known hacking attempts is only part of the strategy, but you're crazy if you have a server exposed to the Internet and you don't do it.
April 21, 2010 at 10:48 am
hein-1120388 (4/21/2010)
That may be true but you can still use IP blocking to kill a specific offender without killing your customers.
The attacker's IP varies over time. I need less maintenance from my apps, not more :/
The subnet varies or just the specific IP address? If you don't know I would be glad to tell you if you give specific examples.
April 21, 2010 at 10:49 am
hein-1120388 (4/21/2010)
Lynn Pettis (4/21/2010)
Configuring a VPN client is only done once. Once configured, you simply start it and use it. One of our sysadmins even has his start automatically when he fires up his laptop so he doesn't have to even do that.I do agree, however, that you need to at least configure a firewall between the internet and your SQL Server.
Perhaps I'm using the wrong type. With openVPN I need to generate a client certificate and get the user to install the adapter driver, load the parameters and modify the text file according to his setup. Then when he connects, he is unable to reach the internet unless ther are some DNS changes too, which differ depending on the type of internet setup.
Can you suggest a good, pay-for one? Except Hamachi. That just chows bandwidth 24/7.
openVPN requires that each client be created a unique certificate. But that only needs to be done once per certificate. This is something that you should be doing in conjunction with your clients.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
April 21, 2010 at 10:59 am
@jason: I'm just indicating that IP banning is an old, effective way to kerb attacks. Sure some FTP and SFTP servers are flawed, but that's besides the point. Re. OpenVPN, my point is this is a complex task for my customers, which are general computer users and not familiar with loading certificates. Sure I can explain it to them, but I don't want to load another layer of doubt through complexity. I'm trying to encourage them to use the system.
@bteraberry: I am aware of both ways of implementing IP blocking. The IPs vary wildly. I'm assuming it's more than one attacker. Trying to fend of kids one by one is not an occupation I'm keen on atm. Moving the port every few months and improving the sa password might be the best answer for me for now.
@Lynn Pettis: Lol I hope not!!!
April 21, 2010 at 11:11 am
Perhaps you can build a web service for your app to use, that would make it more difficult for them to directly access your system and allow you to better protect your server.
I don't think it is unreasonable for travelling users to be expected to use a VPN solution.
So I guess the question I have is are your users generally small businesses or home users and do they generally have fairly static IP addresses and your real issue is travelling users, or what. What is your use case?
CEWII
April 21, 2010 at 1:50 pm
Elliott W (4/21/2010)
Perhaps you can build a web service for your app to use, that would make it more difficult for them to directly access your system and allow you to better protect your server.I don't think it is unreasonable for travelling users to be expected to use a VPN solution.
So I guess the question I have is are your users generally small businesses or home users and do they generally have fairly static IP addresses and your real issue is travelling users, or what. What is your use case?
CEWII
My users where once all working on an office lan to a central SQL Server. It then grew to multiple offices and users needed it while traveling as well. I've never got around to converting it to a web service, which you rightly suggest. In the end, I think that's the real solution. I can then disable remote access on SQL Server.
Viewing 15 posts - 16 through 29 (of 29 total)
You must be logged in to reply to this topic. Login to reply