locked
invalid login attempt RRS feed

  • Question

  • I am using sql sk8 express edition where I have renamed sa user name for security purpose. But there are thousand of event viewer generate per mintue in the server. Its obvious that someone trying to find way in the server.

    Login failed for user 'sa'. Reason: Could not find a login matching the name provided. [CLIENT: 65.xxx.xxx.202]

    How can I block the specific IP to avoid generating million of event viewer in server ?


    ---- Tahir Khan --- -Exchange Solution Provider- -http://hostautomate.com
    Friday, December 3, 2010 10:03 PM

Answers

  • I am not sure if any particular user can attempt to login a thousand times a minute. It must be an attempt from some application which tries to connect to the SQL Server.

    Can you identify which machine has the IP 65.xxx.xxx.202?

    If you can, try running a Profiler Trace for a few minutes with "Audit - Login Failed" event to capture the Application Name and the Process ID of the application trying to connect to the SQL Server Instance.

    Once you have identified the application, either stop it, if you do not need it, or reconfigure it to use correct credentials.


    Suhas De
    --------------------------------------------------------------------------------
    Please mark solved if your question is completely answered; vote it as helpful to help others find a solution quicker.
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/b/suhde
    Wednesday, December 8, 2010 7:32 AM

All replies

  • Change default port to dynamic.....
    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/
    Monday, December 6, 2010 10:14 AM
  • SQL Server can't block an attempt from a specific IP Address. Look to the firewall for that capability.


    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty
    Monday, December 6, 2010 4:42 PM
  • I am not sure if any particular user can attempt to login a thousand times a minute. It must be an attempt from some application which tries to connect to the SQL Server.

    Can you identify which machine has the IP 65.xxx.xxx.202?

    If you can, try running a Profiler Trace for a few minutes with "Audit - Login Failed" event to capture the Application Name and the Process ID of the application trying to connect to the SQL Server Instance.

    Once you have identified the application, either stop it, if you do not need it, or reconfigure it to use correct credentials.


    Suhas De
    --------------------------------------------------------------------------------
    Please mark solved if your question is completely answered; vote it as helpful to help others find a solution quicker.
    --------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------------------------------------------------------------------
    My Blog: http://blogs.msdn.com/b/suhde
    Wednesday, December 8, 2010 7:32 AM
  • Hi Rick

    I meant that hackers know a default port and try to get it in by using that port. Changing defult port will prevent from attempts to get in (lots errors in Event Viewer)


    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/
    Wednesday, December 8, 2010 8:30 AM
  • Good point.
    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty
    Wednesday, December 8, 2010 3:47 PM