Block SQL login attempts failures

  • Hello Folks

    Our SQL servers are being hit with login attempts using 'sa' user, even though these boxes are behind firewalls the SQL management port are open. Has anyone experienced this? Any ideas on how to stop it?

    Thanks

    G

  • G

    I would do 2 things. You obviously can't stop these attempts as long as you don't know where they originate from so:

    First of all rename the sa account, so that if this is some kind of hacking attempt at least it won't be successful.

    Second you can use some networking sniffer tool like Ethereal to analyze from which host the attempts are coming from.

    Markus

    [font="Verdana"]Markus Bohse[/font]

  • Thanks for your reply, I have disabled the sa account so there is no chance for a breach. Also i have identified the src ip for these attacks, but every time i block that IP through firewall, they come up with a different src ip.

    Any ideas?

    G

  • As Markus suggested, it would be good idea to rename the sa account. If possible, change the port from 1433 and make sure that SQL Server Browser is disabled. Then open the new port and block 1433 on the firewall. You could also create a login trigger to either capture information about the login attempts or to limit the new sa login to only specific internal host computers.

    Good luck with this

    David

  • Any threads on changing the port from default 1433? On the server side and also the client side?

    Thanks

    G

  • I'm not aware of any threads... but I would venture to say there probably are some.

    You can change the port in the TCP/IP properties using SQL Server Configuration Manager under the Protocols page. As for the client, make sure you add the port number to the connection string... in Management Studio you would put MySQLServer\MyInstance, port#

    David

  • That worked,

    Thanks

  • Ahh, the joys of firewall administration. As an alternative to opening 1433 to everyone perhaps you should consider whitelisting only those hosts/subnets that should be accessing your sql servers?

    Joe

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply