July 11, 2008 at 7:59 am
Hi,
thanx for usefull information guys, the reason why i cannot disable the sa account because helm the web hosting control panel uses this account to create databases and the reason i can't restrict it to local host is that helm requires it that way and the server is placed in a datacenter very far from me and i don't have physical access to the server, the ips that are trying loggin are all public ips, the password is strong but it is worrisome when somebody is continuesly trying to get in with different password combination, i think sql server should employ capcha/image verification to avoid such automated attacks or should have a option to put temporary ban on ips after certain failure attempts, is there a place where we can suggest microsoft to put this in the next security update.
Thanx
July 11, 2008 at 10:09 pm
Hi
can you guys tell me what will be the straight forward way to change the password for sa account through sql server management studio,
and somebody mentioned that login _triggers can be used to ban an ip address if login fails for more than n number of times, how can we do that.
is there a way to permanently ban an ip address from connecting to sql server.
please recommend
July 12, 2008 at 3:40 am
this link covers logon triggers
http://technet.microsoft.com/en-us/library/bb326598.aspx
you could have the trigger check the client_host event data using the eventdata function for a known set of addresses and deny logon that way!
of course these only fire if authentication was successful. If authentication fails then triggers wont fire. The IP's should really be blocked at the perimeter.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
July 14, 2008 at 12:05 am
ltoso (7/11/2008)
Hican you guys tell me what will be the straight forward way to change the password for sa account through sql server management studio,
I already did.
You can rename the sa account the same way you rename any other account. Easiest way is from management studio express, expand out the logins folder, right click the SA account and select rename.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
July 14, 2008 at 12:11 am
ltoso (7/11/2008)
Hi,thanx for usefull information guys, the reason why i cannot disable the sa account because helm the web hosting control panel uses this account to create databases
That's a very, very bad security practice. You don;t need full sa rights to create a database. Can you work out what rights Helm actually needs and create an account with just that?
the ips that are trying loggin are all public ips, the password is strong but it is worrisome when somebody is continuesly trying to get in with different password combination,
Is there a firewall on that server? Can you set the firewall up to only allow certain ips (or ip ranges) to connect on the SQL server port?
There should be a firewall. A web-facng server without a firewall is just asking for various forms of trouble.
i think sql server should employ capcha/image verification to avoid such automated attacks or should have a option to put temporary ban on ips after certain failure attempts, is there a place where we can suggest microsoft to put this in the next security update.
Thanx
You can suggest new features on http://connect.microsoft.com, but I don't think the suggstion of a captcha for a database engine will gain much support. Many, many environments have automated processes using the databases, not just real users.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
July 14, 2008 at 9:53 am
GilaMonster (7/14/2008)
ltoso (7/11/2008)
There should be a firewall. A web-facng server without a firewall is just asking for various forms of trouble.
that's the thing that worried me, how can public ip's get to this machine in the first place
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
July 14, 2008 at 11:00 pm
Hi,
thanx for the prompt help guys, basically if we don't allow remote connections from internet then sql server management studio can't connect to it from the internet, so we have to allow connections from the internet, so the best and fast solution for the problem was to rename sa account,
thanx
July 16, 2008 at 4:31 am
Er...ever heard of vpn?
you should have your SQL server remote admin done via vpn that way only you can admin the Server.
Who set your system up? Needs a kicking! 😀
Hiding under a desk from SSIS Implemenation Work :crazy:
Viewing 8 posts - 16 through 22 (of 22 total)
You must be logged in to reply to this topic. Login to reply