| Author |
Topic |
|
PapillonUK
Starting Member
22 Posts |
 Posted - 2004-07-19 : 11:09:22
|
| When i moved over to a new SQL server this week i chose the option to hide the server - just cos it was there and i thought i'd be a secure chappy - at least it stops your server broadcasting itself to all those naughty old virusus (virions?)But really, this ALWAYS moves the port from 1433 to 2433 - is there any point in this whatsoever? When you hide the server you have no option but to use this port! If i was a virus writer i'd just start writing virusus to check both ports.This seems so obvious i must be missing something? What's the general consensus? |
|
|
Kristen
Test
22859 Posts |
Posted - 2004-07-19 : 13:10:20
|
| My consensus would be to use a firewall, I'm afraid ...Kristen |
 |
|
|
PapillonUK
Starting Member
22 Posts |
Posted - 2004-07-19 : 13:28:26
|
| We have a firewall protecting us from the outside world but that ain't gonna stop someone plugging into our internal network with a well travelled dirty old laptop... ;-) |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-07-19 : 13:31:14
|
| Well, I wouldn't use 1433, 1434, 2433, or any of the other common ports (there's a couple others that I found companies use). Pick a random port. I've always use a five digit one. Don't post it anywhere. Don't tell anyone except those who need to know.I've never chosen the option to hide the SQL Server.Tara |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2004-07-19 : 13:47:36
|
quote:
Originally posted by PapillonUK
We have a firewall protecting us from the outside world but that ain't gonna stop someone plugging into our internal network with a well travelled dirty old laptop... ;-)
True enough.Kristen |
|
|
|
PapillonUK
Starting Member
22 Posts |
Posted - 2004-07-20 : 04:23:07
|
| Tara - thanks for the advice - how do you know that the port you have chosen is not in use by something else? Also what's the allowed range?Do you think its not worth hiding the server? I'd have thought that once a virus has a list of all SQL servers on your network that's half the battle lost? Does anyone know if its possible to hide the server AND change the port to something other than 2433?(questions, questions - can you tell i'm confused yet!?)Thanks for the reply,Sime |
|
|
|
derrickleggett
Pointy Haired Yak DBA
4184 Posts |
Posted - 2004-07-20 : 08:39:07
|
| how do you know that the port you have chosen is not in use by something else? Also what's the allowed range?Ask your network group. :) They should be able to give you a list by doing a scan.Do you think its not worth hiding the server? I'd have thought that once a virus has a list of all SQL servers on your network that's half the battle lost? I think it's definitely worth it and recommended. Never use 1433 in particular if you can avoid it.Does anyone know if its possible to hide the server AND change the port to something other than 2433?You can change the port to whatever you want if it's an available port. This effectively "hides" SQL Server.MeanOldDBAderrickleggett@hotmail.comWhen life gives you a lemon, fire the DBA. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-07-20 : 12:11:19
|
quote:
Originally posted by PapillonUK
Also what's the allowed range?
Derrick answered the other questions. The allowed range I believe goes up to 32767.Tara |
|
|
|
PapillonUK
Starting Member
22 Posts |
Posted - 2004-07-20 : 12:34:06
|
ah! 32767 - makes sense, thanks.I'm a bit confused by Derrick's answer though...When i click the checkbox in EM to "Hide the server" the port is automatically set to 2433 and greyed out so that I cannot edit it manually to anything else.Also, i thought hiding the server and changing the port were 2 separate things?By default, I thought SQL broadcasts all instances of SQL server running on the box when queried via port 1433 while port 1434 is the port that SQL actually communicates to clients on when exchanging data.Thus "Hiding the server" means stopping port 1434 responding and"Changing the Port" means changing the address of 1433 to something unknown?Is anyone still following this?  |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-07-20 : 12:39:11
|
| I've never hidden my server, so I can't be of much help there. In our web environments, we select ports that aren't common. If our internal network servers, we use the default ports. You might find the answer at sqlsecurity.comTara |
|
|
|
derrickleggett
Pointy Haired Yak DBA
4184 Posts |
Posted - 2004-07-20 : 13:58:24
|
| I can tell you what I have done and prefer to do. I change every instance to something other than 1433, including the default. I then block all traffic on 1433. I would look at www.sqlsecurity.com like Tara said though. I don't believe you are correct on the 1433/1434 idea though. Let me know if you find out I'm wrong.MeanOldDBAderrickleggett@hotmail.comWhen life gives you a lemon, fire the DBA. |
|
|
|
PapillonUK
Starting Member
22 Posts |
Posted - 2004-07-21 : 05:56:23
|
| Looks like i may have misunderstood the info i've read - i'll try and sift through the security website and report back!Is there a simple procedure to block port 1433? |
|
|
|
AjarnMark
SQL Slashing Gunting Master
3246 Posts |
Posted - 2004-07-21 : 20:09:33
|
quote:
Originally posted by PapillonUK
Is there a simple procedure to block port 1433?
Assuming you have a configurable firewall, then it should be simple for the network admin to do that with their configuration tool.-----------------------------------------------------Words of Wisdom from AjarnMark, owner of Infoneering |
|
|
|
eyechart
Master Smack Fu Yak Hacker
3575 Posts |
Posted - 2004-07-21 : 20:28:16
|
| we are currently moving our database servers to their own subnet with a firewall out front. With this setup it is very easy to control access to the boxes.Not a cheap solution though, since we do everything with cisco and checkpoint.-ec |
|
|
|
derrickleggett
Pointy Haired Yak DBA
4184 Posts |
Posted - 2004-07-21 : 22:45:18
|
| We will be doing the same thing. It will actually be in either it's own branch or a different AD domain.MeanOldDBAderrickleggett@hotmail.comWhen life gives you a lemon, fire the DBA. |
|
|
|
PapillonUK
Starting Member
22 Posts |
Posted - 2004-07-22 : 08:18:09
|
| Sounds like a good idea - though its a pity that we should have to go to these lengths.Have had a glance through www.sqlsecurity.com - Must admit i don't find it that easy to follow - it tells you what you should be doing but doesn't seem to include step by step instructions for the common man(woman). Think i need to revisit this during our DR/Security testing next month! |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2004-07-23 : 04:03:35
|
Hi, when you hide a server, it automatically choose 2433 because it's what microsoft configured it to be when you have more than 1 instance of sql server.Workaround to choose a different port, do not opt for hide server. There are a lot of tools to retrieve your port numbers and no matter how you hide them, believe me they will be retrieved. The most safe thing to do is to make sure you have a tight sql and network security.quote:
Originally posted by PapillonUK
When i moved over to a new SQL server this week i chose the option to hide the server - just cos it was there and i thought i'd be a secure chappy - at least it stops your server broadcasting itself to all those naughty old virusus (virions?)But really, this ALWAYS moves the port from 1433 to 2433 - is there any point in this whatsoever? When you hide the server you have no option but to use this port! If i was a virus writer i'd just start writing virusus to check both ports.This seems so obvious i must be missing something? What's the general consensus?
|
|
|
|
PapillonUK
Starting Member
22 Posts |
Posted - 2004-07-23 : 06:03:53
|
| I see - so it looks like they've just hooked into a routine that was already written for multiple instances.I suppose it'd be easy for a determined hacker or well written virus to scan the full port range. Nothing wrong with a belt & braces approach though i s'pose. |
|
|
|
|
Hide Server - Crap!? - or WOT? (Opinions!)