Post reply

Block SQL login attempts failures

  • September 24, 2007 at 6:13 pm

    #177415

    Hello Folks

    Our SQL servers are being hit with login attempts using 'sa' user, even though these boxes are behind firewalls the SQL management port are open. Has anyone experienced this? Any ideas on how to stop it?

    Thanks

    G

  • September 25, 2007 at 1:57 am

    #735916

    G

    I would do 2 things. You obviously can't stop these attempts as long as you don't know where they originate from so:

    First of all rename the sa account, so that if this is some kind of hacking attempt at least it won't be successful.

    Second you can use some networking sniffer tool like Ethereal to analyze from which host the attempts are coming from.

    Markus

    [font="Verdana"]Markus Bohse[/font]

  • September 25, 2007 at 10:17 am

    #736088

    Thanks for your reply, I have disabled the sa account so there is no chance for a breach. Also i have identified the src ip for these attacks, but every time i block that IP through firewall, they come up with a different src ip.

    Any ideas?

    G

  • September 25, 2007 at 10:32 am

    #736090

    As Markus suggested, it would be good idea to rename the sa account. If possible, change the port from 1433 and make sure that SQL Server Browser is disabled. Then open the new port and block 1433 on the firewall. You could also create a login trigger to either capture information about the login attempts or to limit the new sa login to only specific internal host computers.

    Good luck with this

    David

  • September 25, 2007 at 12:32 pm

    #736127

    Any threads on changing the port from default 1433? On the server side and also the client side?

    Thanks

    G

  • September 25, 2007 at 1:25 pm

    #736139

    I'm not aware of any threads... but I would venture to say there probably are some.

    You can change the port in the TCP/IP properties using SQL Server Configuration Manager under the Protocols page. As for the client, make sure you add the port number to the connection string... in Management Studio you would put MySQLServer\MyInstance, port#

    David

  • September 25, 2007 at 2:48 pm

    #736161

    That worked,

    Thanks

  • September 25, 2007 at 10:56 pm

    #736243

    Ahh, the joys of firewall administration. As an alternative to opening 1433 to everyone perhaps you should consider whitelisting only those hosts/subnets that should be accessing your sql servers?

    Joe

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply