I believe that everyone on the SQL Server instance name of the TCP/IP protocol is not unfamiliar, there is a TCP port, the Internet, beginners in the online tutorial, are said to configure it to 1433. Oh, I am no exception.
I am deeply in the pit today, the company server 1433 unfortunately by hackers scanned, at 50 times per second, send requests, attempts to crash in a dictionary, brute force SQL Server database of the SA password, accumulated for several months, the log folder has more than 10 g.
In small companies we are not just a yard farm, courseware production, server maintenance, printer repair, computer repair, mobile phone repair, cleaning, all to do, do a good all-round knight, do a nanny, haha.
See each row of logs have an IP, the first thing to think about is to let the server deny an IP access. So I was on my computer to simulate the denial of IP access settings, think about the time, to the server on the last look, sad reminder of the discovery, the server does not have this function, do not ask me why not, asked me not to say, haha. Helpless under, and boss said, really can't change a system, the server to redeploy a bit, the workload is really not small ah.
re-organized a bit of thought, since he is to use SA Landing database, then I will disable SA well, anyway, the site is not using SA as a landing user. This again, found that SQL Server log log file is still being written, each second will add a few k, open view, from the original login failed to evaluate the failure, SA user does not have permission to log on. Swollen, if at this rate of growth, disk space will be filled with log files sooner or later. After I have stopped all the sites, log log files continue to grow, constantly write to the inside of the error log, sa login failed. Analysis, not the vulnerability of the site caused!
Since the passive defense is not good, then I have to learn how to attack it. Internal matter asked Baidu, foreign affairs do not decide to ask Google . After a review, understand that SQL Server attacks are open by scanning the 1433 port, if Open is a dictionary brute force hack, and Linux has a tool, a few lines of command can start a collision crack, to this, feel everything is so clear!
Since it is the 1433 port problem, then we will ban him, change the individual, not just the end. After the change is really exempt from the server attack, but the new problem occurred, there are two ASP Web site can not open, static page to be opened, ASP page is not, but this is a small problem, we server $ tens of millions of finally saved, haha.
In fact, I know that the reality of hackers far more than I met today, I am a rookie, I think he is! To share my experience with everyone, welcome to join QQ Group:278201498 Learning and communication.
If you think it's OK, recommend it!