patternsqlMajor
Possible attack on my SQL server?
Viewed 0 times
sqlpossibleattackserver
Problem
Checking my SQL Server log I see several entries like this:
And so on..
Is this a possible attack on my SQL Server from the Chinese???!
I looked up the IP address at ip-lookup.net which stated it was Chinese.
And what to do?
And how do I protect my web server the best?!
Thanks in advance!
Date: 08-11-2011 11:40:42
Source: Logon
Message: Login failed for user 'sa'. Reason: Password did not match for the login provided. [CLIENT: 56.60.156.50]
Date: 08-11-2011 11:40:42
Source: Logon
Message: Error: 18456. Severity: 14. State: 8.
Date: 08-11-2011 11:40:41
Source: Logon
Message: Login failed for user 'sa'. Reason: Password did not match for the login provided. [CLIENT: 56.60.156.50]
Date: 08-11-2011 11:40:41
Source: Logon
Message: Error: 18456. Severity: 14. State: 8.And so on..
Is this a possible attack on my SQL Server from the Chinese???!
I looked up the IP address at ip-lookup.net which stated it was Chinese.
And what to do?
- Block the IP adress in the firewall?
- Delete the user sa?
And how do I protect my web server the best?!
Thanks in advance!
Solution
If you have a firewall, why is the database server exposed to the internet?
- The firewall should block all access to BOTH servers apart from the ports required. Typically this would be 80 (http) and 443 (https) to the web server ONLY.
- If (and only if) an external service requires access to the SQL Server, permit access to the specific IP addresses required at the firewall. This should occur via a VPN connection, not openly exposed 1433.
- Create a new administrator account and disable the default 'sa'.
- Preferably, switch from using "mixed mode" authentication to windows accounts.
Context
StackExchange Database Administrators Q#7660, answer score: 30
Revisions (0)
No revisions yet.