sa account attack

  • Hi to all,

    I found that somebody is trying to login to my SQL Server under the 'sa' account. This account has strong password, so attack with brutal force is almost impossible but is there a way how to e.g. limit a number of connections or something like that?

    I found about 500,000 attempts during last 3 days.

     

    Please advice.

    Thanks

  • maybe you could close your sqlserver's tcp/ip port on your firewall if you don't need external connections, just to delimit your perimeter for investigation.

    (Default instances of SQL Server use TCP port 1433 by default)

    Check out "Connections to SQL Server Over the Internet" in books online.

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • This is a problem. I need this connections because of our external applications.

    Maybe I can disable 'sa' account and administer server under another account, but I'm not sure if it's so easy.

    Thanks

  • Its always a good practice to create another admin account with same 'SA' permissions and use that instead of SA. As far as the attacks to hack in...its not impossible but its always possible to avoid. Get in touchw ith you network admin to see what can be done or try to see if its someone from u'r own team. Many a times own team emebres try to see if they can login with admin rights. Good luck.

  • you can create your own mysa-account or use your windows-login with granted sqlserver-sysadmin-privileges !

    I didn't disable 'sa' with sql2005 up until now, you'd have to test the effect of it, but it should be possible to disable it and do your sysadmin-stuff using your alternate path.

    We change sa-passwords every month because we know sa is not used and we want to keep it that way. We administer using a windows dba group.

    Disableing the sa-account will prevent entering using sa, but it will not prevent the overhead of the attack !

     

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • First try to find it is internal or external attachs?

    Check the security log for any useful information...and also as mentioned above work with network engineer to find what exactly going on...

     

    MohammedU
    Microsoft SQL Server MVP

  • These attacks are external. Every day from other ip address, so I'm not able to track it (or it doesn't make sense).

  • You can follow alzdba advise to change the password...

    You can create a job to change the SA password every 5/30/60 minutes...you need to write a code for random generating sa password...If you need to do some work using sa account diable the job and change the sa password whatever you need... once you job is job just enable the job.

    Work with network guy or you can call security consulting companies or MS to get some good help..

    MohammedU
    Microsoft SQL Server MVP

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply