How can I prevent attacks on my SQL Server installation?

sql sql-server

Unless you have good reason, don't put your SQL server on the edge of your network.

I see that you think you need SQL on the internet because developers need access. That isn't a good reason to make SQL available to the internet. You have a number of options for allowing your developers to access the server without making SQL server accessible. They could SSH to the server and run SQL commands via command line. They could use a VPN to connect to the server, and run any app. You could even lock down at the firewall to only allow access from your developers. Many options that are more secure are available to you.

Just for the record, my favourite would be SSH access using keys for authentication. That allows you more security options, and your developers can use SSH to tunnel to the server if necessary, with command line access when it isn't. You can secure the server against the developers using chroot, jail or just plain old permissions


The answer is don't expose your SQL server to the Internet directly.

The other answer along these lines, which I upvoted said "Unless you have to" but I disagree with that part of that answer: If you think that you do have to put the SQL server on the web directly, then re-design your app until you no longer have to do so. As an absolute bare minimum, if say you only have one server and it runs everything, then firewall off the box concerned and don't expose the SQL server ports (or anything else you don't absolutely need) to the outside world.

This isn't just a SQL server thing, or a Microsoft thing, or a web application thing, it's basic security common sense; one of the first things you do to secure a system is minimise the "attack surface" that hackers can 'see'.


You should not have something like SQL server directly accessible to the public network. If external users need access then still block the SQL server from the public network but give the developers access via some sort of VPN setup (for instance an OpenVPN setup or tunneling in via SSH) - that way you won't get bruit-force connection attempts from malicious people/code and you get the added advantage that all communication between them and your server are encrypted (and, with the right SSH or VPN options, compressed which could make a significant difference).


It is most essential to not allow public access to the server. Keep it behind a firewall or NAT. I'm sure someone else could give you a more extensive answer but figured it was worth mentioning.

Related

Plesk HTTPS setup and directory problems [closed]
SSL stops working on IIS7 after a reboot
SSH: Configure ssh_config to use specific key file for a specific server fingerprint
Does adding an user to the apache group creates a security hole?
Is there any way to build a linux software raid system without all drives?
How do I prevent one IP from creating a DNS entry on a multi-homed server?
Connecting to SQL server instance on VM via host-only network
IP Table, what does this construct mean ::INPUT ACCEPT [0:0]
Varnish purge on POST or PUT
How to disable ICMP redirect packets in Cisco IOS?
Linux Load Averages and HyperThreads
iSCSI SAN - Network adapter bottleneck