IIS + programming security: website's backend system security hold - log-in page SQL Injection

We have a security problem here and we really need your help and inputs. We have a website with a backend system where admins can login and update the frontend. Our good friends tried to hack into the backend using SQL injection onto our login page and they succeeded and could create a users with admin acc开发者_开发技巧ess. The website is written in ASP.NET in C#.

We are thinking to remove the login page from public IP or add 2 layers protection ( IIS ip restriction and IP access list by program).

How can we do this in IIS and in the program? Please help since I am new to all these security things.

We distribute this website on a web garden consists of 3 servers so they share local/private ips of xx.xxx.x.x

How do I implement this in my code to grand access to just a list of IPs or a group of IPs?

Thanks so much in advance,

Simplecode

Just to go a little further down this rabbit hole.

First, sanitize your inputs and use parameterized queries. Just fix your code. This is the most important thing you should be working on right now.

Second, moving the login page doesn't fix the problem. If there are other pages within your site that are accessible, then I'm sure you have other sql injection issues. See #1 above.

Third, I bet you are exposed to all manner of other things like XSS. Take a little bit and learn what they are. Then spend some time retraining yourself to code in a defensive way. A hint: validate EVERYTHING. If you expect a number, only accept a number. If you expect a short string, don't allow javascript to be embedded in it.

One mantra to keep in mind is to only trust the browser, the users, and even the system admins as far as you absolutely have to. Which is to say build your site in such a way that you don't have to trust them at all.

Most companies have no idea what threats they are faced with. A hint: external threats or only part of it. Internal threats are usually far worse. I say this simply because you are asking a question which attempts to paste over exactly one part of the problem and ignores everything else.

I recently spoke with a company that claimed they had security down pat. Prior to the meeting I went to their website and noticed that they had a document id in all of their URLs. The id was a simple int. In a few minutes of spare time I wrote an app that started at doc id 1 and iterated until the server stopped giving data. There was a fair number of documents I should never have been able to see. Being a good samaritan, I told them about this.

The point of that tale is that sql injection, xss, etc isn't everything. Security through obscurity is another fail entirely.