Coffeehouse Thread

25 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

NETSTAT question

Back to Forum: Coffeehouse
  • User profile image
    Minh

    Hello, everyone. I'm experiencing another slow down on my network (loading ethereal now) & I did a NETSTAT & found these entries:

      TCP    server:ms-sql-s        222.122.46.177:5130    TIME_WAIT
      TCP    server:ms-sql-s        222.122.46.177:5164    TIME_WAIT
      TCP    server:ms-sql-s        222.122.46.177:5778    TIME_WAIT
      TCP    server:ms-sql-s        222.122.46.177:5878    TIME_WAIT
      TCP    server:ms-sql-s        222.122.46.177:5974    TIME_WAIT
      TCP    server:ms-sql-s        222.122.46.177:6263    TIME_WAIT

    There are more of these, actually. Are these normal? Is someone trying to hack my SQL Server?

  • User profile image
    Tom Malone

    Not sure, is that you ip address, tried a reverse look up, on the ip, came back as someone in korea.

  • User profile image
    Minh

    Tom Malone wrote:
    Not sure, is that you ip address, tried a reverse look up, on the ip, came back as someone in korea.

    That's definitely nowhere close to where I am (midwest, US). Maybe it's time to change my sa password? I wonder if that means a connection has been made.

  • User profile image
    Maurits

    What's more of a concern is that your SQL server is listening on the internet.  I recommend firewalling off any ports that aren't used for internet services (usually just 80)

  • User profile image
    figuerres

    Minh wrote:
    Tom Malone wrote: Not sure, is that you ip address, tried a reverse look up, on the ip, came back as someone in korea.

    That's definitely nowhere close to where I am (midwest, US). Maybe it's time to change my sa password? I wonder if that means a connection has been made.


    dude!  firewall that damm SQL server!!!!

    why leave it open in the first place??

    thats how SQL slammer found a way to make such a mess was that huge numbers of sql servers were open to the internet to connect to.

  • User profile image
    Mike Dimmick

    For an explanation of the TIME_WAIT state, see this post. OK, that applies to IIS rather than SQL Server. So you're looking for a situation in which SQL Server, rather than the client application, initiated closing the connection (if it was the client, the client would have the TIME_WAIT state).

    Instances I can think of: login failure, perhaps some kind of idle connection timeout (though I'm not aware of one). Check the logs: in Enterprise Manager, see under Management, SQL Server Logs.

  • User profile image
    figuerres

    Minh wrote:
    Tom Malone wrote: Not sure, is that you ip address, tried a reverse look up, on the ip, came back as someone in korea.

    That's definitely nowhere close to where I am (midwest, US). Maybe it's time to change my sa password? I wonder if that means a connection has been made.


    I think it's Time wating to make a connection... need to look it up...

  • User profile image
    blowdart

    figuerres wrote:

    I think it's Time wating to make a connection... need to look it up...


    TIME_WAIT is a socket that has been closed by the client side already, and the server is waiting for x amount of time (240 seconds by default on Windows) before closing it at the server end (the machine you are running netstat on)

    (One reason to tune the time_wait settings on a popular machine - you only have a limited number of connections). To change it

    System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    Value Name: TcpTimedWaitDelay
    Data Type: REG_DWORD (DWORD Value)
    Value Data: 30-300 seconds (decimal)


    (Oh and original poster, as everyone else says, firewall that SQL box)

  • User profile image
    Minh

    Maurits wrote:
    What's more of a concern is that your SQL server is listening on the internet.  I recommend firewalling off any ports that aren't used for internet services (usually just 80)
    I'm on it. Newbie web server admin here. Any good firewall app for Windows 2000 that you guys can recommend?

  • User profile image
    W3bbo

    Minh wrote:
    I'm on it. Newbie web server admin here. Any good firewall app for Windows 2000 that you guys can recommend?


    I'm listening too... but I'm after one for WS2003

  • User profile image
    blowdart

    W3bbo wrote:
    Minh wrote:I'm on it. Newbie web server admin here. Any good firewall app for Windows 2000 that you guys can recommend?


    I'm listening too... but I'm after one for WS2003


    Well for 2003 there's always the security configuration wizard, which will do nice things to the 2003 firewall.

    However, I'm loathe to recommend any software firewall running on the same machine as you are trying to protect. Ideally dodgy packets should never reach into the network, and by relying on a software firewall it's already got there. A particular Texan ISP was brought down because they relied on BlackIce as a software firewall and got hit with a zero day exploit.

    Bit the bullet, spend some money and get one in hardware, or dedicate a machine to firewall duty.

    If you can't do that, Kerio perhaps.

  • User profile image
    Maurits

    blowdart wrote:
    I'm loathe to recommend any software firewall running on the same machine as you are trying to protect.

    +1 on that.

  • User profile image
    blowdart

    Maurits wrote:

    +1 on that.


    Of course it helps the wife used to be in sales for a security firm, and so I got a netscreen for my home network at cost price.

    Hmmm. Overkill Smiley

  • User profile image
    ZippyV

    You can also disable the listening in the settings of sql server itself.

  • User profile image
    Maurits

    ZippyV wrote:
    You can also disable the listening in the settings of sql server itself.


    You can do
    netstat -an | find "LISTENING"
    to find all the listening ports

    If you go this route you should also unbind File and Printer Sharing for Microsoft Networks from the adapter

    You can use Foundstone's fport utility (among others) to track down the applications that are listening on each port and shut them down if you don't need them

    The benefit of a firewall is you could open ports to certain netranges (your client boxes) and block them to the internet

  • User profile image
    Minh

    Well, it turns out Windows 2000 comes w/ a network traffic filter, but very primative. You pretty much has to set everything up yourself. I followed these instructions and at least blocked my SQL Server port. Note, the guy's sample filter list allows outgoing but NOT incoming port 80 traffic, so if you've got a web server, you got to open an extra hole. Thanks, everyone for the advice.

  • User profile image
    ScanIAm

    Is the server hooked directly into the network?  If so, and if you are doing this at home, you can put a router between you and the server and it will effectively disappear.  If you want to allow web traffic, you then port-forward port 80 only to your web machine.

  • User profile image
    Minh

    ScanIAm wrote:

    Is the server hooked directly into the network?  If so, and if you are doing this at home, you can put a router between you and the server and it will effectively disappear.  If you want to allow web traffic, you then port-forward port 80 only to your web machine.

    Yes, it's a home computer & I have a Belkin router (or switcher, I don't know), and it has a web-based interface. Looks like it has a firewall, too. I don't remember why I put the web server outside of this router. Maybe it's worth a look at again.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.