Brute force attack on sa account

Question

Hi guys I have a problem

The event logs show a brute force attack attempt to login to the SQL server as user 'Sa'. It looks like someone has been randomly attempting login as Sa for the last couple of days at least. Each time they try to guess the password, they attempt login as Sa up to 20 times per second.

I did a Google search for "server attack by user sa" and found this happens to many SQL servers that are accessed via the internet. As long as the password is very complex we are probably ok. Disabling the account is also a possibility, though this is beyond my expertise a bit. I need to disable the SA account but I am wondering if that is the best course of action. I need to either disable the Sa account or create another accoutn with the same permissions. Pleas advise.  We are using Mixed Mode and I am wondering what is the best way to disable the Sa acccount I am on sql server as seperate admin account

Answer 1

>>Disabling the account is also a possibility, though this is beyond my expertise a bit. I need to disable the SA account but I am wondering if that is the best course of action.

Take a look at Ted Kruger's recent blog post on this topic. Disabling the sa account should be easy and outlined in the below post. Thank Ted on his blog post if it helped you.

http://blogs.lessthandot.com/index.php/DataMgmt/DBAdmin/to-sa-or-not-to-sa

---

| Sankar Reddy | http://sankarreddy.spaces.live.com/ |

Answer 2

You would want to look at the SQL Server Errorlog and find out the state for the 18456 error message which is associated with the Login Failed for "SA" message. If it is State 14, then this signifies a Password Mismatch. Also, you would get the client from which the login is being attempted. This might help you determine the source from where the login attempt is originating from.

---

This posting is provided "AS IS" with no warranties, and confers no rights.
My Blog: Troubleshooting SQL

Answer 3

To add to Amit's post, you could then block the offending IP at the firewall to prevent further connection attempts. You could also consider reporting the IP to your ISP.

And to add to Ted's post linked above: after renaming sa, you could also create a new 'sa' account, with minimum privileges to distract would-be hacking attempts.

HTH

Ewan

---

If you have found this post helpful, please click the 'Vote as Helpful' link (the green triangle and number on the top-left).

If this post answers your question, click the 'Mark As Answered' link below. It helps others who experience the same issue in future to find the solution.

Answer 4

In addition to the other posts:

An obvious question is why your SQL Server is such unprotected in the first place... I would talk to the networking people and see whether the right firewalls are in place in front of your SQL Server.

---

Tibor Karaszi, SQL Server MVP http://www.karaszi.com/sqlserver/default.asp http://sqlblog.com/blogs/tibor_karaszi

Answer 5

You would want to look at the SQL Server Errorlog and find out the state for the 18456 error message which is associated with the Login Failed for "SA" message. If it is State 14, then this signifies a Password Mismatch  --

This is not correct , the password mismatch is indicated as state 7 and state 8 in error 18456. State 7 is for sa and state 8 for anyother login.

---

Thanks, Leks

Answer 6

My Bad :(

I just verified this.

State 7: Login disabled and password mismatch
State 8: Password mismatch

---

This posting is provided "AS IS" with no warranties, and confers no rights.
My Blog: Troubleshooting SQL