Looks like someone or something is trying a brute force attempt at logging into our production SQL Server instance with the 'sa' account. They haven't been successful because our 'sa' account is disabled, but what steps should I take to make sure things are secure?
Does your SQL server need to be publicy available to the Internet? This is usually not the case. If it absolutely has to be this way, you could restrict access by IP address or maybe set up a VPN. Obviously, make the sa password unguessable or see about restricting sa login locations from only your LAN ip addresses. Please provide more details so others can assist you with better solutions.
The first thing you could do is start by blacklisting that IP address, and outright denying ANY traffic from their IP at your firewall. Of course, they may just change IPs, but at the least it'll stop them from bombarding your server with traffic and logs.
The login attempts to involve attempts to inject some malicious code. I recommend blocking this activity with a permanent blacklist using either the server's firewall software or a third party external firewall.
Also, reduce the number of allowed login failures as this will automatically block the intruder's IP address.
Above will minimise this.
Disable that port (MySQL is 3306; don't recall SQL Server's port, maybe 118?) through the firewall. Then no one can access it.
If outside access to SQL is needed, remap it to a high-numbered port, like 53535. If anyone figures out that port is open, it will be hard to guess its significance.
It's probably just some script kiddie running a scanner and not worth your time pursuing. I would look at not having your database accessible from the Internet.
If your SQL Server must be accessible outside of your netowrk, you can Whiteliste the outside IP addresses needing access. VPNs are a better solution, (but not always available), and best solution is no outside access.
Whitelisting requires more management, but it removes this silliness. If someone needs access and they have a frequently changing IP, then they can login to a different system via RDP and connect to the SQL Server from there.
Rename the sa account, create a bogus sa account, and disable it.
Audit permissions and trigger a password update for all SQL Server User Accounts; maybe increase password strength requirements.
Renumber the SQL Server IP listening port. This means updating client configurations or application configuration files.
I agree with other posters regarding probable next attack vectors and this is probably someone running a script.
For anyone looking for an program that will create the IPSEC policy, filters, etc and automatically scan the event log and add IP's to the block list, I've written a small program that does just that.
I had this problem too where my event log would be filled with thousands of entries for hackers attempting to login to my MSSQL instance with the 'sa' login. After much searching, I decided to write my own program, have it create the neccessary IPSEC items, and then scan the event log every 60 seconds for attacks from new IP addresses. It then adds the IP address to the IPSEC filter, and blocks all traffic to and from the IP. I have only tested this on Windows Server 2008, but believe it will work on other versions as well.
Feel free to download the program using the link below. Donations are always appreciated using the link in the right-click menu of the taskmanager icon.
http://www.cgdesign.net/programs/AutoBlockIp.zip
Please note that this only works for SQL login attempts using the 'sa' login, but I could modify it to work for other log events as well. Also, you can view the IP's that have been blocked, but you will continue to see some items in the event log since the program only runs every 60 seconds. This is due to not being able to delete a single event log entry, and I didn't think deleting the entire log would be a good idea.
DISCLAIMER - By downloading and installing the above-mentioned program, you agree to hold me harmless for any damage, loss of data, corruption, or any other functionality issues resulting from the use of said software. I have tested the program to the best of my ability and currently have it running on 2 servers, but you have been warned to use at your own risk.
Any questions or comments, please feel free to get in touch with me using the contact form on my website at www.cgdesign.net
-Chris
You ought to restrict login attempts, so if the same user tries to log in more than 5 times, they are blocked from any further attempts for a few hours or a day. At least then they cannot brute force a login after a million attempts.
And like others have said, don't allow public access if it's not necessary. You can restrict access to a set of known IPs if some people need outside access.