-
lot of login failed for user 'sa'(root,admin...)
I have recently noticed in our sql profiler,that there is lot of login failed for user'sa'(as well as for admin,root,sql,database' etc) ,Don't know why it happening ? I would like to know how to prevent this type of attack and any solution to slove this..
-
You can enable sql auditing to trace where those connections came from.
-
Preventing: Change SQL Password with a complex combination of numbers every month.
like this
CA8BF97A43E2
run security audit from profiler and capture the hostname. Then take necessary action.
-
Thanks ya,
I set the aduiting level to "all",need to know how to trace the audit event/
and also from the profiler the application name seems to be from OSQL
-
Open profiler- New trace - select server- Click on "Events" tab. select only Security- Click on "data columns" tab and select "databasename", "hostname","databaseusername" and all relevant columns.
and click "RUN"
-
adding to this,
Running sqlserver7.0 Not sure how to get the hostname,
also it seems to be the login failed attempt stopped after running for 24 hours, don't know why and how?
-
Sql auditing logs events in windows app event log.
-
Thanks again,
AGAIN IT LOGIN FAILED ATTEMPT STARTED,THIS TIME I USED 2000 PROFILER TO TRACE THE HOSTNAME
FINALLY I GOT THE HOSTNAME ,BUT THEN HOW TO FIND THE IPADDRESS OF THE HOSTNAME WHICH DOESN'T HAVE ANY EXTENSION LIKE .COM..NET....ANY IDEAS
-
Run 'ping host_name' in dos prompt.
-
I tried to ping with the hostname ,but no result...I think it needs some extensionlike .net ,.com etc...
Is it possible to get ipaddress using profiler trace???
-
Don't think you can trace ip address. Is your sql server on internet? Does host name have same naming convention as on your network.
-
Yes,It is on internet and having same name
-
May find related info in firewall log, or setup network trace to get it.
-
maybe the hostname really doesn't exit.
look at this example how can be the hostname changed when you are connecting
c:\>osql -SSQLServer -Hfind_me -Usa -P"i try this pwd"
in profiler you get only this...
HostName - find_me
TextData - Login failed for user 'sa'.
You Have To Be Happy With What You Have To Be Happy With (KC)
-
Then what is the real way to avoid people using query from osql trying to login to the sqlserver(other than tcp 1433 port)even if the password is secured)..
and also is there any way to block if they try to connect through osql
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|