2

Checking my SQL Server log I see several entries like this:

Date: 08-11-2011 11:40:42
Source: Logon
Message: Login failed for user 'sa'. Reason: Password did not match for the login provided. [CLIENT: 56.60.156.50]
Date: 08-11-2011 11:40:42
Source: Logon
Message: Error: 18456. Severity: 14. State: 8.


Date: 08-11-2011 11:40:41
Source: Logon
Message: Login failed for user 'sa'. Reason: Password did not match for the login provided. [CLIENT: 56.60.156.50]
Date: 08-11-2011 11:40:41
Source: Logon
Message: Error: 18456. Severity: 14. State: 8.

And so on.. Is this a possible attack on my SQL Server from the chineese???! I looked up the IP adress, at ip-lookup.net which stated it was chineese.

And what to do? - Block the IP adress in the firewall? - Delete the user sa?

And how do I protect my web server the best?! :)

Thanks in advance!

MicBehrens
  • 173
  • 1
  • 3
  • 11
  • Not really a _programming_ question. –  Nov 08 '11 at 12:17
  • Probably better suited [dba.stackexchange.com](http://dba.stackexchange.com) or [itsecurity.stackexchange.com](http://itsecurity.stackexchange.com) –  Nov 08 '11 at 12:20

4 Answers4

4

It looks like a cheap brute force attack.

The fact that the whole internet can get as far as attempting to authenticate against your SQL Server is probably a massive problem. Unless you have particular reasons for this, access to SQL should be restricted to only those servers that require access to the resource.

Also, don't go down the line of blocking specific IP addresses, or you'll never stop. Block everything except authorised locations. And don't delete your user accounts unless you're certain you don't need them.

SmallClanger
  • 9,127
  • 1
  • 32
  • 47
  • How do i block everything except for the localhost and my specific work ip-adress (I'm doing the programming via my IIS server on my laptop and thereafter uploading it to the web). – MicBehrens Nov 08 '11 at 12:54
  • 1
    By using a VPN. – Bart Silverstrim Nov 08 '11 at 13:18
  • Pretty much. Having anythign open to the niternet is gross negelct. Put up a firewall, vpn into the server using a secure protocol, be happy. – TomTom Mar 28 '12 at 11:27
2

Can you explain your layout a bit better?

Are you allowing SQL logins from the internet, or any sort of SQL traffic at all? If so, why?

You should be severely restricting any sort of connections to your SQL server to your local network or to specific external IPs (although I'd suggest something more secure if you have that need).

My solution would be for you to take a look at your firewall and lock it down so it allows the minimum required access to provide service availability.

Chris N
  • 707
  • 3
  • 8
  • It it possible the reach the SQL database by using the domainname, username and password.. This is because im developing the websites from my iis-server at my laptop, and thereafter uploading to the webserver. – MicBehrens Nov 08 '11 at 12:56
  • It's possible if the SQL server is running on the web server. You would be the one to answer that. Regardless, my original answer will help: you need to implement a firewall on or preferably between that computer and the internet. That log shows an external IP attempting to login, so you need to add a firewall rule denying any traffic outside of your local network or a set of trusted IPs at the very least. – Chris N Nov 08 '11 at 13:13
  • 1
    Three words: Use a VPN. – Bart Silverstrim Nov 08 '11 at 13:17
  • Yes, the SQL server is running on the web server :) But even when trying to deactivate the rules "MS SQL over TCP protocol" and "MS SQL Probe" i can still connect to the sql database through my website. And the firewall are set by default to block every incoming connection which doesnt match a rule. – MicBehrens Nov 08 '11 at 13:19
2

For anyone looking for an program that will create the IPSEC policy, filters, etc and automatically scan the event log and add IP's to the block list, I've written a small program that does just that.

As a web hosting provider my customers need external access to my SQL Server instance. I too had the problem where my event log would be filled with thousands of entries for hackers attempting to login to my MSSQL instance with the 'sa' login. After much searching, I decided to write my own program, have it create the neccessary IPSEC items, and then scan the event log every 60 seconds for attacks from new IP addresses. It then adds the IP address to the IPSEC filter, and blocks all traffic to and from the IP. I have only tested this on Windows Server 2008, but believe it will work on other versions as well. As a side note you may need to run it with administrator privileges so that it has the correct permissions to access the event log and to create IPSec policies and filters.

Feel free to download the program using the link below. Donations are always appreciated using the link in the right-click menu of the taskmanager icon.

http://www.cgdesign.net/programs/AutoBlockIp.zip

Please note that this only works for SQL login attempts using the 'sa' login, but I could modify it to work for other log events as well. Also, you can view the IP's that have been blocked, but you will continue to see some items in the event log since the program only runs every 60 seconds. This is due to not being able to delete a single event log entry, and I didn't think deleting the entire log would be a good idea. As a result you will need to clear the log manually on ocassion. If needed I do have a version that archives the log file after 5,000 entries and then clears it. I found that this helps in CPU utilization since the app doesn't have to keep processing the same event log entries on each run.

DISCLAIMER - By downloading and installing the above-mentioned program, you agree to hold me harmless for any damage, loss of data, corruption, or any other functionality issues resulting from the use of said software. I have tested the program to the best of my ability and currently have it running on 2 servers, but you have been warned to use at your own risk.

user9517
  • 115,471
  • 20
  • 215
  • 297
Chris Glavan
  • 21
  • 1
  • Welcome to Server Fault! Please read our [faq] in particular [May I promote products or websites I am affiliated with here?](http://serverfault.com/faq#promotion). – user9517 Mar 28 '12 at 11:22
0

Use SQL Profiler to look at the login requests to the SQL server. You may find it's an internal IP address and the name of the application trying to access the SQL Server.

If it is an external IP address, then WHY!?! Why have you exposed a SQL server directly to public internet traffic. If you don't know then your going to have to find out!

Also make sure the sa password is actually very strong. On my SQL Servers, the sa password is actually a very long garbage randomly created use once and throw away password.

Guy
  • 2,668
  • 2
  • 20
  • 24
  • I made it a rubish 128 character long password consisting of a-z, A-Z and 0-9 .. I can't rename my sa account tho :/ ... I cant seem the find the place where to lockdown the external traffic... – MicBehrens Nov 08 '11 at 12:55