Re: Too many sa failed logins
- From: "Simon Hayes" <sql@xxxxxxxx>
- Date: Fri, 5 Aug 2005 01:04:44 +0200
"John Dalberg" <johnd@xxxxxxxxxxxx> wrote in message
news:xz07aent6ftr.1g83xxhvdhwdi$.dlg@xxxxxxxxxxxxx
>
> The event log is showing a ton of failed sa logins. The server is
> connected
> to the net. I am assuming this is a dictionary attack to get the sa
> password. I am trying to find out if this is an inside attempt or from the
> outside. While the profiler will tell me which program or script is
> sending
> it, how do I find out which ip address(s) from the net is doing this?
>
>
> --
> John Dalberg
I don't have a real answer to your question, but exposing a database server
directly to the internet is somewhat unusual - can you use a VPN or some
other OS-level mechanism to prevent direct connections? Profiler can capture
some information about a failed login, but since the hostname and
application name can be set by the client, you can't trust the information
anyway. The best option for monitoring attempted connections would be at the
OS or network level - if a client doesn't authenticate with MSSQL, then the
database server has no good way to get information about it.
Simon
.
- Follow-Ups:
- Re: Too many sa failed logins
- From: byrocat
- Re: Too many sa failed logins
- References:
- Too many sa failed logins
- From: John Dalberg
- Too many sa failed logins
- Prev by Date: Re: index bloat?
- Next by Date: Difficult SQL-JOIN/UNION-Problem
- Previous by thread: Too many sa failed logins
- Next by thread: Re: Too many sa failed logins
- Index(es):
Relevant Pages
|
