Forum Moderators: open
I have never had problems with this before with any of six other ISPs. Is it normal to manage an SQL server through port 1433/1434 using Enterprise Manager or am I doing something really stupid by keeping those ports open on the server?
Your hosting company should offer some kind of VPN connection to allow you to connect securely to their network before you can use the client tools.
If your database if offsite, and you accessed it with the DSL connection in question, then it really cannot create any damage. You are connecting to a remote port.
If you host the SQL server somewhere else on the same DSL network, but somewhere remote, then closing those ports for outsides still should let you in, since you are technically on the same network.
If both client and SQL server are on the same machine, then you closing any in/out ports should not affect you at all.
I am kind of confused here :)
(this is the 5th time I've seen customer service reps beat the heck out of what tech support can do)
I have 1433 and 1434 open on my server and it regularly gets hit by the various worms - but my IDS detects it and blocks the traffic.
Definetely not - use a VPN or remote access to the server. If you publish those ports you are telling the world you have a database to hack.
Sorry to confuse the issue - just playing devil's advocate!
(personally, I use a VPN, and to add a little confusion I run SQL Server on a different port).
Sure you can send different protocols and read the responses and figure it out but certain SQL attacks such as slammer look for port 1433.
See the following article for info:
SQL Server and deadly Port 1433 idiots
The vpn method does conceal the actual protocols being supported to some extent.
I've had problems with IT network idiots denying access to those ports.
There was a big slammer virus 3 years ago, that affected unpatched SQL Server systems, which had put a bad reputation on those ports.
The real thing is that the risk is only if the person running SQL Server don't know what he's doing and leave the server unpatched.
Anyway, to stop leading with idiotics, just change the ports!, that's a five-minutes work.
Ask your local ISP which range of ports are open to use and choose two of them.
That's what I did.
That is why closing the ports works best! - least privelage policy.
All those machines which don't run any service on a specific port xyz are safe. Where there is no exploitable service, there is no attack vector. If only a few customers are using a specific port, it would make no sense for an ISP to block that port xyz within their entire network.
It is another question if it would be wise to start a service which might show some vulnerabilities now and then on a server box visible to the internet and let that port open for the public to try and poke around.
So to answer the original question "is it a security risk keeping those ports open on the server": yes, it is, as it may attract all kind of unwanted probing/scripting/exploiting/hacking activities.
To have an IDS is good. An additional measure could be to put a firewall in front of that machine, which would let only a few trusted IP addresses talk to that port and reject all others.
Another possibility is to generally close the port in the server's firewall and run the communications to that service through an SSH tunnel. Or using VPN, as others mentioned already.
Just configuring desired services to other ports may help to escape an ISP wide port blocking but does not help security-wise ("security through obscurity"): any port scanning will show the new ports open and it would be no problem to remotely identify the services on these new ports.
Regards,
R.
