安全地将SQL Server 2000暴露给Internet

时间:2022-02-19 18:12:51

I've got a SQL Server 2000 box that I'd like to put on "the Internet" so that developers could connect remotely without VPN access.

我有一个SQL Server 2000盒子,我想把它放在“互联网”上,以便开发人员可以远程连接而无需VPN访问。

What's the safest way to do so? It might be temporary, e.g. every once in a while, but it's definitely necessary.

最安全的方法是什么?这可能是暂时的,例如每隔一段时间,但这绝对是必要的。

Thanks,

Rob

5 个解决方案

#1


Short answer - don't do this.

简短回答 - 不要这样做。

Long answer:

Install good firewall on the box.

在盒子上安装好防火墙。

Install and run ssh server on it.

在其上安装并运行ssh服务器。

Open only the ssh port.

仅打开ssh端口。

Your devs can use PuTTY or any other ssh client to "tunnel" the sql port over the ssh connection.

您的开发人员可以使用PuTTY或任何其他ssh客户端通过ssh连接“隧道”sql端口。

#2


The SAFE thing to do is put it behind a VPN.

安全的事情是把它放在VPN后面。

Seriously, why would you even consider such a risk?

说真的,你为什么还要考虑这样的风险呢?

#3


Read DannySmurf's answer. If security threat is not your highest concern, then try LogMeIn at least.

阅读DannySmurf的回答。如果安全威胁不是您最关心的问题,那么至少尝试使用LogMeIn。

#4


First option, I agree, "don't".

第一种选择,我同意,“不要”。

Second option, create a web front end on the exposed box and leave sql non-exposed.

第二个选项,在公开的框上创建一个Web前端,并使sql不暴露。

Third option, if you must expose the sql box then mandate asymetric key encryption with all clients, deny all other connections, log clients and review connectivity logs with alerts for clients not matching allowed connection specs (stored in an encrypted table on an internally non-exposed server). Be prepared for some enlightening hacker techniques sure to surprise.

第三个选项,如果必须公开sql框然后对所有客户端强制进行不对称密钥加密,则拒绝所有其他连接,记录客户端并查看连接日志,其中包含不匹配允许连接规范的客户端的警报(存储在内部非加密表中)暴露的服务器)。准备好一些有启发性的黑客技术肯定会让人惊讶。

-Alek

#5


I accidentally left an SQl Server (port 1433) open on the net for a while, and once I realized it, I was getting something like 100,000 hits per hour with some sort of automated programs (coming from an army of IP's I believe), trying to break into the server.

我不小心在网上打开了一个SQl服务器(端口1433)一段时间,一旦我意识到这一点,我每小时就得到了一些类似于自动程序的100,000次点击(来自我相信的IP部队),试图闯入服务器。

Luckily I used very long and complicated passwords...and don't believe I was ever compromised.

幸运的是,我使用了很长很复杂的密码......并且不相信我曾经受到过损害。

#1


Short answer - don't do this.

简短回答 - 不要这样做。

Long answer:

Install good firewall on the box.

在盒子上安装好防火墙。

Install and run ssh server on it.

在其上安装并运行ssh服务器。

Open only the ssh port.

仅打开ssh端口。

Your devs can use PuTTY or any other ssh client to "tunnel" the sql port over the ssh connection.

您的开发人员可以使用PuTTY或任何其他ssh客户端通过ssh连接“隧道”sql端口。

#2


The SAFE thing to do is put it behind a VPN.

安全的事情是把它放在VPN后面。

Seriously, why would you even consider such a risk?

说真的,你为什么还要考虑这样的风险呢?

#3


Read DannySmurf's answer. If security threat is not your highest concern, then try LogMeIn at least.

阅读DannySmurf的回答。如果安全威胁不是您最关心的问题,那么至少尝试使用LogMeIn。

#4


First option, I agree, "don't".

第一种选择,我同意,“不要”。

Second option, create a web front end on the exposed box and leave sql non-exposed.

第二个选项,在公开的框上创建一个Web前端,并使sql不暴露。

Third option, if you must expose the sql box then mandate asymetric key encryption with all clients, deny all other connections, log clients and review connectivity logs with alerts for clients not matching allowed connection specs (stored in an encrypted table on an internally non-exposed server). Be prepared for some enlightening hacker techniques sure to surprise.

第三个选项,如果必须公开sql框然后对所有客户端强制进行不对称密钥加密,则拒绝所有其他连接,记录客户端并查看连接日志,其中包含不匹配允许连接规范的客户端的警报(存储在内部非加密表中)暴露的服务器)。准备好一些有启发性的黑客技术肯定会让人惊讶。

-Alek

#5


I accidentally left an SQl Server (port 1433) open on the net for a while, and once I realized it, I was getting something like 100,000 hits per hour with some sort of automated programs (coming from an army of IP's I believe), trying to break into the server.

我不小心在网上打开了一个SQl服务器(端口1433)一段时间,一旦我意识到这一点,我每小时就得到了一些类似于自动程序的100,000次点击(来自我相信的IP部队),试图闯入服务器。

Luckily I used very long and complicated passwords...and don't believe I was ever compromised.

幸运的是,我使用了很长很复杂的密码......并且不相信我曾经受到过损害。