August 12, 2008 at 8:11 am
My event viewer shows many attempts to login to user account sa.
(Login failed for user 'sa'. IP etc)
Environment: Windows 2003 Server, SQL Server 2005, internet facing.
This is puzzling, since I have the SQL Server instance configured for NO remote access. Port 1433 shows as closed in a port scan.
Yet, using various IPs, some program appears to be trying to hack into account 'sa'. I have a strong password, so, so far, so good.
This is the only machine on the n/w, placed at an ISP. I have full admin control.
I tried blocking the IP at the firewall, but it tries using different IPs.
How is it possible that SQL Server is even letting TRY to login, since I have remote logins disabled? Where could this program be coming in?
This is new, and so is the lastest service pack.
Thanks Phil
August 12, 2008 at 10:26 pm
When you say event viewer, are you seeing these in the SQL Server log or in your Windows Security event log?
K. Brian Kelley
@kbriankelley
August 13, 2008 at 12:26 am
Have you considered disabling the sa login?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
August 13, 2008 at 6:20 am
I'm seeing these messages in the Windows Application Log. Curiously, not in the Windows Security Log.
I'd look in the SQL Server log, if you can tell me where it is!? Thx
August 13, 2008 at 6:22 am
I read that disabling the sa login was a good idea, but was unsure as to how to proceed. I need to create a login with the same privileges and a more obfuscated name, and to disable the sa login. When I looked at the sa login, the option to deactivate it was grayed out. Ideas? Phil
August 13, 2008 at 6:35 am
In object explorer, right click the login, select properties, go to status, select disabled, click OK.
Depending where the server is and how you're accessing it, I do prefer windows authentication for sysadmin access. It is a little more secure, since you're delegating the authentication check to a domain controller.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
August 13, 2008 at 6:51 am
OK, will do that. I access the server remotely through Remote Desktop, so I as an admin authenticate through Windows. Sounds like a good idea to disable sa completely.
So somehow I need to create sysadmin privleges for my logged in user.
Also, can you comment on how someone/something can be attempting to login, with SQL Server responding only that the login failed, when remote logins are NOT enabled, and there is only the one machine in the domain? Is there some way in through port 80 (this is a web server/SQL Server combined).
Thx
August 13, 2008 at 7:05 am
PhilM99 (8/13/2008)
OK, will do that. I access the server remotely through Remote Desktop, so I as an admin authenticate through Windows. Sounds like a good idea to disable sa completely.So somehow I need to create sysadmin privleges for my logged in user.
Add the sysadmin server role to your login.
Also, can you comment on how someone/something can be attempting to login, with SQL Server responding only that the login failed, when remote logins are NOT enabled, and there is only the one machine in the domain? Is there some way in through port 80 (this is a web server/SQL Server combined).
Will leave that to Brian, as he knows more about that than I do.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
August 13, 2008 at 11:01 am
If you're seeing it in the Application event log (and you'll see it in the SQL Server error log), that means it is indeed a SQL Server-based login attempt. That's what I was trying to clarify.
When you check the network protocol configuration, is everything disabled except for Shared Memory?
K. Brian Kelley
@kbriankelley
August 13, 2008 at 1:11 pm
No, TCP/IP is also enabled. I guess the implication is that if I am not allowing remote logins (port 1433) then I do not need TCP/IP. Correct? (The only accesss to the SQL Server is from ASP.Net which uses connectstrings and windows authenticated login.)
August 14, 2008 at 1:36 am
That is correct. If the web server is on the same server as SQL Server then the only protocol that needs to be enabled is Shared Memory. If you have TCP/IP enabled, SQL Server is listening on its specified port and is therefore open for remote users to attempt to connect.
Speaking of which, when you say you've disabled remote logins, what all did you do to do so?
K. Brian Kelley
@kbriankelley
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply