Showing posts with label repeatedly. Show all posts
Showing posts with label repeatedly. Show all posts

Wednesday, March 21, 2012

How to find the IP of someone repeatedly trying to login as SA

I'm running a Windows 2003 Server, with MS SQL Server 2000 which is using
mixed mode security. The SQL server is being used for development and
testing purposes.
The server needs to be exposed to the internet as it is also accessed off
site
When checking the windows logs, the application log showed repeated failed
login attempts to the sa SQL account and new entries were being created at a
rate for a few a minuet.
How can I find out the IP address of where these login attempts were coming
from?
and also how can I get the SQL server to ignore requests for this address or
maybe ip range?
To temporarily stop this I just disabled the TCP/IP network protocol for the
SQL server.
Thanks for any help,
GrantGreat questions:
How can I find out the IP address of where these login attempts were coming
from?
Answer: Best ways are either running Microsoft Network Monitor on the
server & make a capture of the traffic.
Or, netstat -an to capture the sessions connected via IP. To send a login
the client first needs to make
a tcp session using the 3 way handshake.
and also how can I get the SQL server to ignore requests for this address or
maybe ip range?
Answer: By default there is no way to do this from SQL. You'd need to
configure a firewall in front of SQL to allow connection requests from only
one machine.
I've requested that we allow auding for failed login request & log the IP
address for the next release of SQL.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Kevin McDonnell [MSFT] wrote:

> and also how can I get the SQL server to ignore requests for this address
or
> maybe ip range?
> Answer: By default there is no way to do this from SQL. You'd need to
> configure a firewall in front of SQL to allow connection requests from onl
y
> one machine.
If you are familiar with IPSec you could set up a custom IP Sec policy
to only allow connections from machines that you trust. You don't want
to specify who you deny, but instead specify who you trust.

> I've requested that we allow auding for failed login request & log the IP
> address for the next release of SQL.
>
It would be nice if the auditing was built to use windows auditing,
however I'm sure that this is only available if using windows
authentication, and in this case it was sql auth that was tried.
Aaron Weiker
http://blogs.sqladvice.com/aweiker
http://aaronweiker.com/sql
Posted by exocrinepasl at 5:01 AM 0 comments
Labels: , , , , , , , , , , , ,
Subscribe to: Posts (Atom)