Security Question
-
Hi All,
In my SQL Server Logs, I'm getting periods of time where this messages appears:
Login failed for user 'sa'
multiplie times within minutes. Sometimes the a different user name is used:
Login failed for user 'server'
Login failed for user 'sql'
Login failed for user 'database'
Login failed for user 'admin'
Login failed for user 'root'
Login failed for user 'user'
Is this someone trying to hack into my server?!?
Thanks,
Larry
-
Not sure about hacking, but it doesn't look normal
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
I'd say that is a fair bet. Put profiler on it, see where it's coming from. Probably a good idea to also change the SA password and make sure that no one else has been added to the sysadmin role. Big thing is to figure out if internal or external.
Andy
-
You may also want to set up SQL Server Agent alerts to fire when an invalid login is attempted. Might give you enough time to fire up a packet capture and record some more info.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley -
If you change your sa password, I'd make sure that it is a very secure password. Make it long and include both numbers and special chars (!@#$%&*...)
Steve Phelps
SQL Server DBA
American Fidelity Group
-
Thought I'd post this here for all who doesn't already know
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
And try to make the "password" a phrase. That eliminates a dictionary attack and the length tends to make a brute force attack less feasible. For instance:
ManchesterUnitedIs#1!
It has the mixed case, the special characters, and the number. But it's fairly easy to remember (if you know the reference). It also happens to be 21 characters.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley -
In your case I would say someone is trying to hack into your server. They are using a tool to run through logins and passwords quickly, most likely a Brute Force attack.
There is another cause for multiple failed logins within seconds. Someone trying to map to your server (right click on My Computer, select Map Network Drive...). But this would show the same login and password being used for all tries; which is NOT happening in this case. Therefore, it's a Brute Force Attack against your server.
The logins being used also indicate a targeted Brute Force Attack....
SA - known as THE sysadmin account for SQL Server, also known to have a default as a blank password
server, sql, and database-just some easy to remember logins
admin-obvious one here, most if not all computers/servers have at least one administrator account and sometimes it's called admin.
root-this is the UNIX version of admin account.
Find out where this attack is coming from and notify your security immediately. Get them involved now if you haven't already.
-SQLBill
-
Good point on getting your incident response team involved if you have one. All of us neglected to state this. If it's a hosted solution, etc., talk to your ISP.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley -
Brian,
I'm very involved with this type of thing. My main job is running a database for IDS.
By the way, best practice for passwords would be to make you password:
#1ManchesterUnited.
It's harder for a password cracker to figure that out. They start off looking for dictionary words and then working from there. A good password cracker would quickly find the Manchester and then work from there.
Even better would be #1MUisMfT!
(#1Manchester United is My favorite Team!
-SQLBill
-
If you're dealing with hashes, there shouldn't be any telling difference between:
ManchesterUnitedIs#1!
and
#1ManchesterUnited!
Therefore, you won't find Manchester at all. And since you can't find Manchester, you can only try all combos until you get a hit... that's a brute force attack.
From a brute force perspective, it really depends on how the engine is written. Most engines are written to try all combination of four characters before going on to five characters, all five character combos before going to six character combons, and so forth. So using the following brute force calculator:
http://www.mandylionlabs.com/documents/BFTCalc.xls
Here are the results in hours:
ManchesterUnitedIs#1!
Hours: 8,785,578,668,121,670,000.00
#1ManchesterUnited.
Hours: 12,996,418,148,109,000.00
#1MUisMfT!
Hours: 2,393.67
The more characters, the more time it takes for a brute force attack to be successful.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley -
Implement the network security and block the server IP and ports to public.
-
What's the best way to find out where the attack is coming from without hitting performance? Do I need to run profiler continuously on the server or on my remote PC? Can I log this info someplace?
Thanks,
Larry
-
maybe it will help u
http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
Edited by - simon_hyan on 10/28/2003 2:17:23 PM
-
Profiler may tell you, but it's possible to spoof the workstation name.
If you setup an alert to fire when a failed login happens, you'll be able to get a network trace of what's going on. The network trace will reveal the source IP address (this tends not to be spoofed because they're trying to make a connection to the SQL Server). That'll give you an idea where to start.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
Viewing 15 posts - 1 through 15 (of 22 total)
You must be logged in to reply to this topic. Login to reply