moh*_*edn 17 sql sql-server security sql-server-2005 sql-server-2008
我想将我的SQL Server实例的连接限制为特定的IP地址.我想阻止除特定列表之外的任何IP地址的任何连接.这是可以在SQL Server实例或数据库中配置的东西吗?
Aar*_*and 22
听起来像你使用Windows防火墙做的事情(你可以阻止SQL Server端口,并允许某些IP地址的例外).
您可以通过使用sys.dm_exec_connections检查IP地址的登录触发器之类的操作来执行此操作,但我认为这比直接阻止流量更不可取.
在数据库级别当然要做得更加困难.
Mat*_*ith 20
我写了这个功能来自动禁止一个IP地址,该地址已经从同一个IP地址登录尝试超过X(@FailedLoginAttempts).它基于SQL Server错误日志.我正在运行Windows Server 2008和SQL Server 2008 R2.
请注意,如果您暂时没有重新启动SQL Server错误日志,您可能会获得大量的IP地址,并且可能需要一些时间来处理所有内容.每运行10分钟,整个过程大约需要4-5秒.
创建表以存储禁止的IP地址
/* Create table to store banned IP addresses */
USE [YourDB]
GO
CREATE TABLE [dbo].[autobanned_ipaddesses](
[id] [int] IDENTITY(1,1) NOT NULL,
[ipaddress] [varchar](50) NOT NULL,
[attacked_on] [datetime2](2) NOT NULL,
[banned_on] [datetime2](7) NOT NULL,
[number_login_attempts] [int] NULL,
CONSTRAINT [PK_autobanned_ipaddesses] PRIMARY KEY CLUSTERED
([id] ASC)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON, FILLFACTOR = 80) ON [PRIMARY]) ON [PRIMARY]
ALTER TABLE [dbo].[autobanned_ipaddesses] ADD CONSTRAINT [DF_autobanned_ipaddesses_banned_on] DEFAULT (getdate()) FOR [banned_on]
创建将IP地址自动添加到防火墙的过程.我个人将此代码放在每10分钟运行一次的代理作业中.另请注意,此过程使用xp_cmdshell.我当然不想辩论启用或禁用此功能的优点.对于他们自己,但我的脚本将无法使用此功能.如果你没有启用它,这是一个很好的链接来帮助你.
USE [YourDB]
DECLARE @T TABLE(LogDate datetime,ProcessInfo varchar(200),Text varchar(max))
DECLARE @T2 TABLE(LogDate datetime,ProcessInfo varchar(200),IPAddress varchar(max))
DECLARE @T3 TABLE(LogDate datetime,IPAddress varchar(max))
DECLARE @IPAddress varchar(50),@LogDate datetime,@NumLoginAttempts int,@CmdExc varchar(300),@FailedLoginAttempts int=10
BEGIN /* Get error log records with failed login attempt data */
INSERT INTO @T
EXEC sp_readerrorlog 0,1,'Could not find a login matching the name provided'
INSERT INTO @T
EXEC sp_readerrorlog 0,1,'An error occurred while evaluating the password'
END
BEGIN /* Get the IP address from T*/
INSERT INTO @T2
SELECT LogDate,ProcessInfo,REPLACE(REPLACE( SUBSTRING(Text, PATINDEX ('%[0-9].%[0-9].%[0-9].[0-9]%',Text)-2,50),']',''),':','') FROM @T
END
BEGIN /* Get the NEW ip addresses from T2*/
INSERT INTO @T3
SELECT CONVERT(varchar(10),LogDate,101) LogDate,IPAddress from @T2 T
WHERE NOT EXISTS(SELECT * FROM autobanned_ipaddesses ai WHERE ai.ipaddress=T.IPAddress)
GROUP BY CONVERT(varchar(10),LogDate,101),IPAddress
HAVING COUNT(LogDate)>@FailedLoginAttempts
ORDER BY IPAddress
END
BEGIN /* Validate that T3 has records, if not skip the firewall add */
IF (SELECT COUNT(*) FROM @T3)=0
BEGIN
GOTO ExitWithoutCycle
END
END
BEGIN /* Loop through T3 and add each entry to the windows firewall */
WHILE EXISTS(SELECT * FROM @T3)
BEGIN
SELECT TOP(1) @LogDate=LogDate, @IPAddress=IPAddress FROM @T3
SELECT @NumLoginAttempts=COUNT(*) FROM @T2 WHERE IPAddress=@IPAddress
INSERT INTO autobanned_ipaddesses (attacked_on,ipaddress,number_login_attempts) VALUES(@LogDate,@IPAddress,@NumLoginAttempts)
SET @CmdExc = 'netsh advfirewall firewall add rule name="Autobanned IP - SQL Attacked '+@IPAddress+'" dir=in action=block enable="yes" remoteip='+@IPAddress+' protocol=any interfacetype=any'
EXEC master..xp_cmdshell @CmdExc
DELETE @T3 WHERE IPAddress=@IPAddress
END
END
/* sp_cycle_errorlog archives the current error log. */
EXEC sp_cycle_errorlog
ExitWithoutCycle:
我知道这不是一个完美的解决方案,因为它只适用于IPv4 IP地址,只能查看通过端口1433进行的登录尝试,具体取决于您的配置.然而,它帮助我在一周左右的时间内识别并阻止了100多个IP地址(主要是中国和香港,但我确实阻止了国土安全部).
TANGENT - 一旦我运行了一个星期左右,我很快意识到IP地址的净范围中有相当多的模式.我发现这个工具最有助于确定这些命中的来源和来源.关于这个网站的好处是,一旦你获得IP地址的位置,在下面你可以再次输入IP地址并获得IP地址的净范围.例如(对不起中国),我发现59.53.67.13的净范围是59.0.0.0 - 59.255.255.255.话虽这么说,我创建了一个手动功能来阻止整个网络范围,并删除已包含此范围内的IP地址的任何Windows防火墙规则.
USE [YourDB]
DECLARE @CmdExc varchar(300)
DECLARE @NetRange varchar(50)='59.0.0.0 - 59.255.255.255'
DECLARE @NetRangeFrom varchar(20),@NetRangeTo varchar(20),@IPAddress varchar(20)
DECLARE @IPPart2From int,@IPPart2To int
DECLARE @IPPartSearch2From int,@IPPartSearch2To int
DECLARE @T Table (ipaddress varchar(20))
SET @NetRange=REPLACE(@NetRange,' ','')
SELECT @NetRangeFrom=LTRIM(RTRIM(SUBSTRING(@NetRange,1,CHARINDEX('-',@NetRange)-1)))
SELECT @NetRangeTO=LTRIM(RTRIM(SUBSTRING(@NetRange,CHARINDEX('-',@NetRange)+1,50)))
SELECT @IPPartSearch2From=CAST(PARSENAME(@NetRangeFrom,3) as int)
SELECT @IPPartSearch2To=CAST(PARSENAME(@NetRangeTo,3) as int)
INSERT INTO @T
select ai.ipaddress from autobanned_ipaddesses ai where LTRIM(ai.ipaddress) like SUBSTRING(@NetRangeFrom,1,CHARINDEX('.',@NetRangeFrom,1))+'%' AND PARSENAME(LTRIM(RTRIM(ai.ipaddress)),3) BETWEEN @IPPartSearch2From AND @IPPartSearch2To
SET @CmdExc = 'netsh advfirewall firewall add rule name="AB SQL Attacked '+@NetRange+'" dir=in action=block enable="yes" remoteip='+@NetRange
EXEC master..xp_cmdshell @CmdExc
WHILE EXISTS(SELECT * from @T)
BEGIN
SELECT TOP(1) @IPAddress=ipaddress from @T
SET @CmdExc = 'netsh advfirewall firewall delete rule name="Autobanned IP - SQL Attacked '+@IPAddress+'"'
EXEC master..xp_cmdshell @CmdExc
DELETE TOP(1) FROM @T
END
我期待着有关改进此功能的评论.
| 归档时间: |
|
| 查看次数: |
48724 次 |
| 最近记录: |