locked
Someone trying to hack my SQL Server. RRS feed

  • Question

  • Hi , I'm from India.
    Today I have checked my SQL server error log,
    In the I can able to see login failed for the user 'sa' error. Someone trying to login with sa account. He was tried continuously for a whole day.
    As a Junior DBA I don't know about the SQL security. Please help me to find the RCA and how to secure my SQL server.

    Monday, December 28, 2015 4:41 AM

Answers

  • 1)change Sa password to complex..and change it regularly..

    2)Try to change sql port.

    3)Find out  ip address who is login  on servers.

         query:-SELECT  hostname,
            net_library,
            net_address,
            client_net_address
    FROM    sys.sysprocesses AS S
    INNER JOIN    sys.dm_exec_connections AS decc ON S.spid = decc.session_id

    4)Make login audition on failed and success as showing in Fig.

    https://www.mssqltips.com/sql-server-tip-category/19/security/


    Please click Mark As Answer if my post helped.




    • Edited by AV111 Monday, December 28, 2015 5:07 AM
    • Marked as answer by Aadhira Monday, December 28, 2015 5:10 AM
    Monday, December 28, 2015 4:48 AM

All replies

  • 1)change Sa password to complex..and change it regularly..

    2)Try to change sql port.

    3)Find out  ip address who is login  on servers.

         query:-SELECT  hostname,
            net_library,
            net_address,
            client_net_address
    FROM    sys.sysprocesses AS S
    INNER JOIN    sys.dm_exec_connections AS decc ON S.spid = decc.session_id

    4)Make login audition on failed and success as showing in Fig.

    https://www.mssqltips.com/sql-server-tip-category/19/security/


    Please click Mark As Answer if my post helped.




    • Edited by AV111 Monday, December 28, 2015 5:07 AM
    • Marked as answer by Aadhira Monday, December 28, 2015 5:10 AM
    Monday, December 28, 2015 4:48 AM
  • The message in the the SQL Server errorlog should include the origin of the intruder. If it says "local machine" it is less likely to be intruder, but some process somewhere on the machine. The same is true if the IP address is within your organisation - maybe.
    If the IP-address is outside your organisation, the answer is simple: don't expose your SQL Server on the Internet. In the mean while disable the sa account:

     ALTER LOGIN sa DISABLE

    If this causes an outcry within your organisation, you have more problems to fix. And then I don't mean you personally.

    Monday, December 28, 2015 10:11 PM