0

I am using an MS-SQL Server 2008 instance as back-end DB server for a project. I did some security tests on the machine hosting my project and SQL Server and got the following report on SQL Server:

On port 1853/TCP a database server is running (specifically MSSQL and a version number) and that the response was available in the pre-login response.

How can I hide this information and SQL Server altogether?

I can't find a way to create a trigger and allow access to specific IPs but I am not sure if this addresses my problem here properly.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
user76678
  • 349
  • 3
  • 5
  • 16

2 Answers2

3

If the attacker has access to the TCP port they can find this information out. You'll need to use some sort of firewall to block access to the SQL Server from people that shouldn't have access to it.

Putting the SQL Server on a non-standard port is not a good way to prevent people from attempting to break into your SQL Server.

mrdenny
  • 27,074
  • 4
  • 40
  • 68
  • mrdenny:Well I did not customise it.Also there is a report on port 1434/UDP also that reveals server info on ping.So besides a firewall, isn't any other option?E.g. perhaps the responses are configurable and send back instead of version something else? – user76678 Jul 11 '11 at 21:27
  • 1434/UDP is the SQL Server Browser service which is used to translate instance names to TCP port numbers. Is your instance a named instance? Do you have two instances installed? No there is no way to customize these responses. – mrdenny Jul 11 '11 at 21:31
  • Yes it is a named instance.No it is 1 instance and you are right an SQL Browser.I have found some posts mentioning the posibility to filter IPs.In this case, do you know if the SQL Server rejects the connection but still sends its version in the response? – user76678 Jul 11 '11 at 21:33
  • That explains why it is on a funny port number. IP filtering is done at the OS level, not at the SQL Server level. If you filter the connection so that it can't get to the SQL Server then there will be no response. – mrdenny Jul 11 '11 at 21:48
1

Why port 1853? SQL Server's standard port is 1433, did you customize it? Otherwise this means that port is owned by something else running on the machine.

Anyway, a firewall (even Windows' built-in one) would be your best solution here. If the machine is sitting on a public IP address, you should really have one in place anyway, regardless of SQL Server.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Massimo:Well I did not customise it.Also there is a report on port `1434/UDP` also that reveals server info on ping.Perhaps the port `1433` you mention is a typo?So besides a firewall, isn't any other option?E.g. perhaps the responses are configurable and send back instead of version something else? – user76678 Jul 11 '11 at 21:25
  • 1
    That's another, optional port SQL Server may use for the SQL Server Browser service; but the main port for the database server itself is (and has always been) TCP 1433. This can be changed, but if you didn't do that, then it's not SQL Server which is listening on port 1853. – Massimo Jul 11 '11 at 21:28
  • Ok, I will check to see if there has been customisation I did not know.But I was wondering, isn't there any posibility to customise the SQL server responses?I have found some posts mentioning the posibility to filter IPs.In this case, do you know if the SQL Server rejects the connection but still sends its version in the response? – user76678 Jul 11 '11 at 21:32
  • SQL Server "speaks" its own network protocol, which includes exchanging informations with the client; that's the same as IIS stating "I'm IIS" even if you request an invalid web page or supply invalid credentials. Your only solution is a firewall (even the system one). – Massimo Jul 11 '11 at 21:33
  • Ok.I was hopping that like Java Application Servers can be configured not to send such info so would SQL Server (or IIS for that matter) – user76678 Jul 11 '11 at 21:39