Penetration attacks

  • I have a production database that is accessed by applications using logins thru ODBC and the application login. Users do not sign in with their ids but are authenticated in the database by this logon id. We are running mixed mode authentication(I know!). I have logging turned on to detect logon failures. I have been tracking several probing attempts. My problem is that I can't set a profiler trace because the rest of the company uses these ids and it builds a huge output file. I want to attempt to get the desktop where these probes are coming from, or any other information I can use to track them down.

  • Unfortunately, there's not much you can do to find the login attempts other than profiler. If you narrow down the scope of profiler to just capture failed logins then it shouldn't create a large log and cause too much overhead. (especially if you are running SQL 2000)

    Another way to try and handle this would be to xp_sendmail the results of an "NETSTAT -n" command when a failed login attempt occurs. The -n will cause NETSTAT to not perform reverse lookup on IP's (much faster). Then what you get is a list of IP connections to your database server at the time of the failed login attempt. If your server is very active or if the failed login attempt is coming from a server that always has an existing connection then this doesn't provide much help. That's why profiler is much more efficient.

    Microsoft really needs to provide the source IP in the error message.

    Oh yeah, the third way you could handle this would be a custom rule in an IDS (Intrusion Detection System).

    DanW

    Edited by - danw on 06/25/2002 1:52:55 PM

  • Dan has good suggestions. Another option is to enhance your app to lock the account after 3 tries. Can be painful, but most password systems (outside of SQL) do this anyway.

    Steve Jones

    steve@dkranch.net

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply