Mar 27, 2012
tom

Possible attack on my SQL server?

Question

Checking my SQL Server log I see several entries like this:

Date: 08-11-2011 11:40:42
Source: Logon
Message: Login failed for user 'sa'. Reason: Password did not match for the login provided. [CLIENT: 56.60.156.50]
Date: 08-11-2011 11:40:42
Source: Logon
Message: Error: 18456. Severity: 14. State: 8.Date: 08-11-2011 11:40:41
Source: Logon
Message: Login failed for user 'sa'. Reason: Password did not match for the login provided. [CLIENT: 56.60.156.50]
Date: 08-11-2011 11:40:41
Source: Logon
Message: Error: 18456. Severity: 14. State: 8.

And so on..
Is this a possible attack on my SQL Server from the chineese???!
I looked up the IP adress, at ip-lookup.net which stated it was chineese.

And what to do?
- Block the IP adress in the firewall?
- Delete the user sa?

And how do I protect my web server the best?! :)

Thanks in advance!

Asked by erizias

Answer

It looks like a cheap brute force attack.

The fact that the whole internet can get as far as attempting to authenticate against your SQL Server is probably a massive problem. Unless you have particular reasons for this, access to SQL should be restricted to only those servers that require access to the resource.

Also, don’t go down the line of blocking specific IP addresses, or you’ll never stop. Block everything except authorised locations. And don’t delete your user accounts unless you’re certain you don’t need them.

Answered by SmallClanger

No related posts.

Leave a comment