| Author |
Topic |
|
cre8tor
Starting Member
7 Posts |
 Posted - 2002-05-31 : 11:22:56
|
| I administer a public SQL 2k server that stores and serves dynamic content as well as customer account information. After our migration to a new server I've been monitoring the log files (the audit level is set for failure) and I now see multiple continuous logon failures for the sa account and I'm concerned that there is some kind of brute force attack being tried on the sql server.Authentication is set to SQL server and Windows since I have to remotely administer the server. SQL agent is running fine and hasn't produced any errors (it's using NT authentication).Does anyone have any ideas - I searched the knowledge base but came up with nothing. I'm a "casual" SQL user just starting to get into the more advanced areas of SQL 2k.My first post please go easy. :)Thanks in advance, |
|
|
MichaelP
Jedi Yak
2489 Posts |
|
|
cre8tor
Starting Member
7 Posts |
Posted - 2002-05-31 : 11:29:41
|
I'm familure with the worm, I'm curious if that's what's trying to crack the password - where is it running from and how the hell do I stop it?She's never had a blank password.  |
 |
|
|
macka
Posting Yak Master
162 Posts |
Posted - 2002-05-31 : 11:44:47
|
| As I understand it Enterprise Manager polls the server every 10 seconds (by default) to obtain the current state of the server. Is it possible that somebody has registered this server through EM, with the incorrect password ? |
|
|
|
MichaelP
Jedi Yak
2489 Posts |
Posted - 2002-05-31 : 11:48:37
|
| Well, I'm not sure that they are trying to brute force attack your SA passowrd, but it's probably lots of servers trying to log in with a blank password.To make it stop, don't put your SQL server on the outside world. It sounds like you can't do this though.Michael |
|
|
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
Posted - 2002-05-31 : 12:07:40
|
| According to an article on the worm it checks for servers with blank passwords AND tries a limited brute force attack. I think that comment was in the CNET article.===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
|
|
|
cre8tor
Starting Member
7 Posts |
Posted - 2002-05-31 : 12:39:19
|
quote:
As I understand it Enterprise Manager polls the server every 10 seconds (by default) to obtain the current state of the server. Is it possible that somebody has registered this server through EM, with the incorrect password ?
Good try but I'm the only one that administer's the server. |
|
|
|
setbasedisthetruepath
Used SQL Salesman
992 Posts |
Posted - 2002-05-31 : 13:02:52
|
So you think ...  setBasedIsTheTruepath<O> |
|
|
|
cre8tor
Starting Member
7 Posts |
Posted - 2002-05-31 : 13:17:21
|
lol -  I just put a super-long super-duper complicated password on the sa account. I have to write it down to remember it. j/k  |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-01 : 01:20:16
|
| HiHere are a few other ideas that might help you sleep better at night.First up, change the port that sql server uses. Pick another one and use that, I am assuming the worm is only trying 1433.Another thing you might be able to do, is firewall off access to your SQL server but set up a VPN. This way you need to authenticate with the VPN before you can log in to your server. That is a little more work, but it will stop random scans from being successful.Good luckDamianEdited by - merkin on 06/01/2002 01:22:40 |
|
|
|
cre8tor
Starting Member
7 Posts |
Posted - 2002-06-03 : 16:12:53
|
| It would be nice if the logs contained IP address information. Does anyone know if there is a way to do this? |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-03 : 19:15:55
|
| You might want to look at getting an Intrusion Detection System (IDS) as well. It will log all of that goodness.You can get the open source Snort or go and spend some megabucks on an enterprise solution from CA or someone like that.Damian |
|
|
|
cre8tor
Starting Member
7 Posts |
Posted - 2002-06-04 : 18:01:15
|
| Merkin,I owe you one bud. - Snort is absolutely fantastic! Within 10 minutes it has logged port scans, the sa logon attempts and attacks on the iis server.The netblock of the sa logon attempts is from Bell South so I shot out an email to their network admin.Thanks again,I owe you one |
|
|
|
|
Brute Force Attack or Something Else??