how do i allow only specific ip address to connect to my sql server

  • Quick questions

    1) Can you briefly describe the network topology/structure?

    2) Which devices are between the attackers and your server (make/model/role)?

    3) Are the attacks external? (how can you tell?)

    4) What authentication mechanism do you use

    - a. SSPI (Security Support Provider Interface)

    - b. NTLM (NT Lan Manager)

    - c. SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)

    - d. GSSAPI (Generic Security Services Application Program Interface)

    - e. SQL Server Authentication

    - f. Other (which)

    5) Do you see any patterns in the attacks?

    6) Which protocols and services are accessible from the Internet?

    😎

  • Typical setup for fw is that you have first allowed rules and then deny all

    1. Allow from scope (allowed IPs) to ports 1434 and 1433 TCP and UDP

    2. Deny from * to ports 1434 and 1433 TCP and UDP

    I am not familiar with windows firewall at all, but I googled a little and I think that procedure for WF is pretty much opposite.

    You first deny everything and then add exceptions.

    Here is link for adding exception for port http://technet.microsoft.com/en-us/library/cc784523(v=ws.10).aspx

    and then link for adding proper scope/addresses for your needs

    http://technet.microsoft.com/en-us/library/cc781515(v=ws.10).aspx

  • GilaMonster (10/9/2014)


    Luis Cazares (10/9/2014)


    I wasn't expecting that someone would expose their SQL instance to the internet. :crazy:

    I suspect that's the situation that the OP is in. 🙁

    I think situation is even worse if attacks are coming from intranet :unsure:

  • Ville-Pekka Vahteala (10/9/2014)


    Typical setup for fw is that you have first allowed rules and then deny all

    1. Allow from scope (allowed IPs) to ports 1434 and 1433 TCP and UDP

    2. Deny from * to ports 1434 and 1433 TCP and UDP

    I am not familiar with windows firewall at all, but I googled a little and I think that procedure for WF is pretty much opposite.

    You first deny everything and then add exceptions.

    Here is link for adding exception for port http://technet.microsoft.com/en-us/library/cc784523(v=ws.10).aspx

    and then link for adding proper scope/addresses for your needs

    http://technet.microsoft.com/en-us/library/cc781515(v=ws.10).aspx

    But that specifically doesn't do what is required - exceptions are for the incoming port whatever is trying to connect to it - that's how windows firewall works, and that's how the URL you referenced says iyt works.

    What the OP is trying to do can't be done with windows firewall. I've always (at least since slammer) used VPNs from the remote client to the (not WINDOWS, but external) firewall, with nothing outside the firewall allowed to get through on any port unless it uses a VPN originating at a specified IP address and matching the VPN parameters and protocol details registered in teh firewall for that ip address (actually IP address ranges are sometimes used rather than IP addresses). Then in the windows firewall the SQL ports are enabled, because nothing in the outside world can get through the external firewall unless it has permission. When trying to make some of the local network unable to access these ports you need a firewall between the part of the local network where everyone connected is allowed to see the SQL ports and that part where some people are not allowed to see them.

    Tom

  • Duplicate post deleted

    Tom

  • TomThomson (10/9/2014)


    Ville-Pekka Vahteala (10/9/2014)


    Typical setup for fw is that you have first allowed rules and then deny all

    1. Allow from scope (allowed IPs) to ports 1434 and 1433 TCP and UDP

    2. Deny from * to ports 1434 and 1433 TCP and UDP

    I am not familiar with windows firewall at all, but I googled a little and I think that procedure for WF is pretty much opposite.

    You first deny everything and then add exceptions.

    Here is link for adding exception for port http://technet.microsoft.com/en-us/library/cc784523(v=ws.10).aspx

    and then link for adding proper scope/addresses for your needs

    http://technet.microsoft.com/en-us/library/cc781515(v=ws.10).aspx

    But that specifically doesn't do what is required - exceptions are for the incoming port whatever is trying to connect to it - that's how windows firewall works, and that's how the URL you referenced says iyt works.them.

    I am pretty sure that OP is speaking about incoming traffic.

    sukhoi971 (10/9/2014)


    but i have other servers who connect to my sql server, and i want only them to be able to connect sql server, rest all denied

  • Ville-Pekka Vahteala (10/9/2014)


    TomThomson (10/9/2014)


    Ville-Pekka Vahteala (10/9/2014)


    Typical setup for fw is that you have first allowed rules and then deny all

    1. Allow from scope (allowed IPs) to ports 1434 and 1433 TCP and UDP

    2. Deny from * to ports 1434 and 1433 TCP and UDP

    I am not familiar with windows firewall at all, but I googled a little and I think that procedure for WF is pretty much opposite.

    You first deny everything and then add exceptions.

    Here is link for adding exception for port http://technet.microsoft.com/en-us/library/cc784523(v=ws.10).aspx

    and then link for adding proper scope/addresses for your needs

    http://technet.microsoft.com/en-us/library/cc781515(v=ws.10).aspx

    But that specifically doesn't do what is required - exceptions are for the incoming port whatever is trying to connect to it - that's how windows firewall works, and that's how the URL you referenced says iyt works.them.

    I am pretty sure that OP is speaking about incoming traffic.

    sukhoi971 (10/9/2014)


    but i have other servers who connect to my sql server, and i want only them to be able to connect sql server, rest all denied

    If "local network only" is good enough that is OK, but that would mean both (i) that those "other servers who connect to my sql server" are all on the local network and (ii) that "rest all denied" doesn't include any machines that are on the local network. I have sometimes been in a situation where (i) was true, but usually not; and I have hardly ever been in a situation where (ii) is true - I don't even run my home machine like that! Both (i) and (ii) true - extremely rare, in my experience, although I guess it's possible for a small enough single site outfit where nobody who touches the database ever works from home. If both (i) and (ii) are true, he can do it with Windows Firewall (by specifying "local network only); otherwise he can't.

    Of course I'm assuming he's using Windows Firewall as opposed to Windows Firewall With Advanced Security which is a completely different product and is included in more modern windows operating systems (like for example the Windows 8.1 on my laptop) - it is a fully featured firewall so it will do what he wants, and he can configure it using netsh commands or using powershell.

    Tom

  • TomThomson (10/10/2014)


    Ville-Pekka Vahteala (10/9/2014)


    TomThomson (10/9/2014)


    Ville-Pekka Vahteala (10/9/2014)


    Typical setup for fw is that you have first allowed rules and then deny all

    1. Allow from scope (allowed IPs) to ports 1434 and 1433 TCP and UDP

    2. Deny from * to ports 1434 and 1433 TCP and UDP

    I am not familiar with windows firewall at all, but I googled a little and I think that procedure for WF is pretty much opposite.

    You first deny everything and then add exceptions.

    Here is link for adding exception for port http://technet.microsoft.com/en-us/library/cc784523(v=ws.10).aspx

    and then link for adding proper scope/addresses for your needs

    http://technet.microsoft.com/en-us/library/cc781515(v=ws.10).aspx

    But that specifically doesn't do what is required - exceptions are for the incoming port whatever is trying to connect to it - that's how windows firewall works, and that's how the URL you referenced says iyt works.them.

    I am pretty sure that OP is speaking about incoming traffic.

    sukhoi971 (10/9/2014)


    but i have other servers who connect to my sql server, and i want only them to be able to connect sql server, rest all denied

    If "local network only" is good enough that is OK, but that would mean both (i) that those "other servers who connect to my sql server" are all on the local network and (ii) that "rest all denied" doesn't include any machines that are on the local network. I have sometimes been in a situation where (i) was true, but usually not; and I have hardly ever been in a situation where (ii) is true - I don't even run my home machine like that! Both (i) and (ii) true - extremely rare, in my experience, although I guess it's possible for a small enough single site outfit where nobody who touches the database ever works from home. If both (i) and (ii) are true, he can do it with Windows Firewall (by specifying "local network only); otherwise he can't.

    More updated link.

    http://technet.microsoft.com/en-us/library/dd734783(v=ws.10).aspx

    After reading I am still convinced that one can have inbound rule for limited list of ips on local port.

  • Ville-Pekka Vahteala (10/10/2014)


    More updated link.

    http://technet.microsoft.com/en-us/library/dd734783(v=ws.10).aspx

    After reading I am still convinced that one can have inbound rule for limited list of ips on local port.

    well, the second sentence on that page says "This context is the command-line equivalent to the Inbound Rules and Outbound Rules nodes of the Windows Firewall with Advanced Security MMC snap-in." In other words, if he has the new firewall called "Windows Firewall with Advance Security" he can do it. If he has the old firewall called Windows Firewall he can't.

    I don't know why you excluded the last paragraph of my message when you quoted it; it said exactlty that - he can do it with the new firewall and not with the old one. As you previously reference a page for teh old firewall (a page that says very clearly that you can't do it) I had assumed that the discussion was about someone stuck with the old firewall; I don't know which one he has.

    Tom

  • TomThomson (10/11/2014)


    Ville-Pekka Vahteala (10/10/2014)


    More updated link.

    http://technet.microsoft.com/en-us/library/dd734783(v=ws.10).aspx

    After reading I am still convinced that one can have inbound rule for limited list of ips on local port.

    well, the second sentence on that page says "This context is the command-line equivalent to the Inbound Rules and Outbound Rules nodes of the Windows Firewall with Advanced Security MMC snap-in." In other words, if he has the new firewall called "Windows Firewall with Advance Security" he can do it. If he has the old firewall called Windows Firewall he can't.

    I don't know why you excluded the last paragraph of my message when you quoted it; it said exactlty that - he can do it with the new firewall and not with the old one. As you previously reference a page for teh old firewall (a page that says very clearly that you can't do it) I had assumed that the discussion was about someone stuck with the old firewall; I don't know which one he has.

    I did not exlude paragraph by choice. Maybe you edit message and added the last line there. It shows edited and I did reply quite quickly.

    Even my previous link which is for older server version has option to have custom list as scope. I still think that one can do it with windows firewall. Maybe it is not that easy from GUI, but it is still doable.

    Custom list

    This setting allows you to specify one or more IPv4 addresses or IPv4 address ranges separated by commas (with no spaces). IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example custom list: 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24

    I corrected one typo.

Viewing 10 posts - 16 through 24 (of 24 total)

You must be logged in to reply to this topic. Login to reply