patternMinor
Need advice on abnormal login auditing
Viewed 0 times
needloginabnormaladviceauditing
Problem
Recently i am facing some slow issue for my web application. And i have check my visitor report and it shows normal traffic rate as usual. And then i check my db login auditing and find below login failed logs.
Previously I have enabled remote access (Ms SQL Server > Connection > Allow remote access to this server) for personal purpose. But I have disabled remote access option at the moment but not sure whether it helps.
Does it means someone trying to hack my db? Anything else i can do in order to prevent this?
EDIT
I am getting this kind of errors in random time with each time consists of 100-500 failed attempts(last for 1-2 minutes). Random time for today as below:
Eg data:
Most of the errors are login failed for user 'sa'
Previously I have enabled remote access (Ms SQL Server > Connection > Allow remote access to this server) for personal purpose. But I have disabled remote access option at the moment but not sure whether it helps.
Does it means someone trying to hack my db? Anything else i can do in order to prevent this?
EDIT
I am getting this kind of errors in random time with each time consists of 100-500 failed attempts(last for 1-2 minutes). Random time for today as below:
01/19/2014 18:41:29
01/19/2014 16:59:44
01/19/2014 15:50:56
01/19/2014 14:59:43
01/19/2014 07:02:33
01/19/2014 05:34:45
01/19/2014 01:25:49Eg data:
01/19/2014 18:41:30,Logon,Unknown,Error: 18456 Severity: 14 State: 7.
01/19/2014 18:41:29,Logon,Unknown,Login failed for user 'hbv7'. Reason: Could not find a login matching the name provided. [CLIENT: 61.138.99.12]
01/19/2014 18:41:29,Logon,Unknown,Error: 18456 Severity: 14 State: 5.
01/19/2014 18:41:29,Logon,Unknown,Login failed for user 'sa'. Reason: An error occurred while evaluating the password. [CLIENT: 61.138.99.12]
01/19/2014 18:41:29,Logon,Unknown,Error: 18456 Severity: 14 State: 7.
01/19/2014 18:41:28,Logon,Unknown,Login failed for user 'hbv7'. Reason: Could not find a login matching the name provided. [CLIENT: 61.138.99.12]Most of the errors are login failed for user 'sa'
Solution
Some steps to reduce these vulnerabilities can be found here:
- Disable the login that is being attacked. In most cases, the login would be a generic sa or admin account. This will disable access to the account. However, the server may still be vulnerable to outside attacks.
- Change name of the account that is being attacked. For instance, change the sa account to sa_databasename in order to make it harder to guess a high level account name.
- Change the port from the default 1433 to a random port in order to make it less predictable to find the port that the server is listening to.
- Change the firewall settings to only allow know IP addresses to get through the security system.
- Implement a strong password policy and make sure that the passwords expire on a frequent basis.
Context
StackExchange Database Administrators Q#57073, answer score: 3
Revisions (0)
No revisions yet.