Windows Firewall Question

[OneApplications]

Hi all,

I have enabled Windows Firewall on my Hyper-V VPS but I have noticed in the SQL Server logs I get loads of failed login attempts for the 'sa' admin user account. Now obvioulsy there's no risk of them ever guessing the login password because it's very "strong" however I can't help thinking that this must have some impact on server performance if it's spending all day blocking incorrect sa logins?

On Linux I use good old CSF / LFD that monitors the number of failed logins for a given process and then bans the associated IP addresses completely. Is there any sort of Windows system that has the same functionality?

Any help greatly appreciated.

Chris.

[OneApplications]

... although I guess just moving the DB port to a non-standard port would help

[eUK-Gareth]

Hello,

Windows firewall is not a 100%secure solution to prevent SA attack and if you are getting the large amount of SQL failure attempts then it can be harmful for your server performance.
We can use IPsec policy to block the IP address like CSF . As you are getting the large amount of SQL failure attempts then we will enable "force encryption" in your SQL server manager and also we can set the IPsec rule which will block port 1433,port 21 and port 3389 for all the IP's apart from those which we will assign in allow list of IPsec policy hence only allow IP's can access those ports which we block for other IP's but before set this rule make sure that you will use "server name\SQLEXPRES" in your web.config instead of IP\SQLEXPRESS and if the attack is coming from specific IP address then we can block that IP on the server and ports will kepp open for all IP's. You can open a ticket to VPS support department so We will setup that IPsec policy for you.






Best regards,
Gareth M.
eUKhost.com

[OneApplications]

Hi Gareth,

I'll look at changing the SQL Server port first I think because I will need access to the databases from a range of IP addresses (as this is a database server for a windows client application).

I'll keep an eye on the logs and see how it goes for now I think...

Cheers,

Chris.

[eUK-Gareth]

Hello ,

I completely agree with you.If you will need to provide the access of SQL server remotely from multiple IP's .
As an alternative you may change the the port of Ms SQL connections from 1433 to another any number which is not currently in use or that is otherwise reserved is a good candidate.
Once you changed the port as an added layer of protection than please allow that port in windows firewall. Using this You can reduce some chance of being SQL attack.
You can also use following vulnerabilities in your code to prevent SQL injection attack.

* Vulnerabilities inside the database server
* Magic String
* Conditional Responses
* Time Delays
* Blind SQL Injection
* Incorrect type handling
*Incorrectly filtered escape characters





Regards,
Gareth M.
eUkhost.com

[OneApplications]

Hi,

Thanks for the comments so far.

One other option, seeing as I will only be allowing certain customers to connect to the server, is to ONLY allow their IP address through the firewall. This is all well and good for customers who have a fixed IP address but most will probably have dynamic.

In my limited expreience, whilst your IP address can change quite frequently, your hostname remains constant. For example my domestic hostname is something similar to cpc1-stkp4-0-0-cust207.manc.cable.ntl.com and although my IP address has changed a few times over the years as far as I know my hostname has stayed the same.

Does anyone know if it's possible using the windows firewall (with advanced security) to allow connections based on hostname rather than IP addresses? Is there anyway the server can perform a DNS lookup on the connecting hostname?

Cheers,

Chris.

[Rock]

Does anyone know if it's possible using the windows firewall (with advanced security) to allow connections based on hostname rather than IP addresses? Is there anyway the server can perform a DNS lookup on the connecting hostname?

Hi Chris,

You can achieve this using IPSEC, which has the capability of filtering [/blocking/allowing] DNS hostnames along with the IP addresses.

Please go through this link for more info on IPSEC.

[OneApplications]

Great! Thanks Rock, I'll have a look into that.

[Rock]

Great! Thanks Rock, I'll have a look into that.

You're welcome, good luck..

[OneApplications]

Hi Rock,

Can you just comment on the following:-

1. Is the setup the same for Server 2008? I've been through the steps you posted and there appears to be a few differences here and there. Can you not access the IPSec rules in Server Manager 2008?

2. When you set an access rule using a hostname you get a warning (something about the IP address - can't remember exactly) but is this saying that it will ONLY use the hostname when setting the rule. If your IP address changes at a later time will the IP address change not be detected by IPSec and hence the hostname will no longer be allowed access?

Cheers,

Chris.

[OneApplications]

I've been doing some tests and it seems that IPSec doesn't evaluate hostnames after you've initially set the rule. So if you set a rule based on a hostname it will literally just use the IP address of the hostname at that point in time (which is pretty useless really!! lol)... unless i'm missing something??

[eUKShane]

Hello,

Windows XP, Server 2003, and 2000 use the same basic interface for implementing IPSec policies. Windows Server 2008 does these configurations in the Windows Firewall with Advanced Security snap-in (WF.msc), which is a big change from the simple port allow rules that were used in previous versions. Windows Firewall has mixed adoption levels, but now the port-level configuration is brought into the same configuration as Windows Firewall and more steps are required for simple port driven rules.

IPsec policies can be assigned through Group Policy, which allows IPsec settings to be configured at the domain, site, organizational unit, or security group level.

The main parameters for determining the weight of an IPsec filter are the following:

* The source IP address
* The subnet mask of the source IP address
* The destination IP address
* The subnet mask of the destination IP address
* The IP Protocol field value
* For UDP and TCP traffic, the Source Port number
* For UDP and TCP traffic, the Destination Port number

I've been doing some tests and it seems that IPSec doesn't evaluate hostnames after you've initially set the rule. So if you set a rule based on a hostname it will literally just use the IP address of the hostname

When you configures a rule for Hostname or any domain then the rule works same for the IP where the domain or hostname is pointing. If the domain is pointing to 10 IPs then the rule will be applicable for all 10 IPs. And yes, later on if the domain will point to different IPs then rule will be applicable to them. IPsec shows a warning while configuring rule for any domain. It warns like, "This policy will block these number of IPs".

You can Refer following Urls for more information :

Security rules for Windows Firewall and for IPsec-based connections in Windows Vista and in Windows Server 2008
Server and Domain Isolation Using IPsec and Group Policy

Hope this information will help you

[OneApplications]

Hi Sebastian,

Thanks for the info.

So if I setup a DNS name of test.mydomain.co.uk and set its IP to 10.0.0.1 and then setup an IPSec rule to allow access for that hostname it will correctly find the IP address of 10.0.0.1. I can then connect to the server from 10.0.0.1 and get access. That's fine but if I then at a later date change the IP address of test.mydomain.co.uk to 10.0.0.2 in the DNS and then try to access the server from that new address / hostname, will IPSec realise that the DNS has changed and allow access?

[Scott]

Hi,

Yes. It should work as per Seb's reply "later on if the domain will point to different IPs then rule will be applicable to them". We will suggest you to please go through the link provided.

[eUKShane]

Hi Chris,

You are most welcome

So if I setup a DNS name of test.mydomain.co.uk and set its IP to 10.0.0.1 and then setup an IPSec rule to allow access for that hostname it will correctly find the IP address of 10.0.0.1. I can then connect to the server from 10.0.0.1 and get access. That's fine but if I then at a later date change the IP address of test.mydomain.co.uk to 10.0.0.2 in the DNS and then try to access the server from that new address / hostname, will IPSec realise that the DNS has changed and allow access?

After DNS changes the domain should be propagated with the new IPs from the server where you are configuring IPSec rules. Then IPSec policies will automatically get assigned to new IPs and you will get the access.

Feel free to get back to us for further assistance, we would be glad to assist you.