[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 465
  • Last Modified:

Login failed for user 'sa'.

In my event viewer, I am getting a Failure Audit message with source MSSQLSERVER that says Login failed for user 'sa'.  [CLIENT: 98.174.230.19].  All my databases use Windows Authentication.  Is this someone trying to hack the server?  If so, how do I stop it?
0
kdata
Asked:
kdata
1 Solution
 
SCarrisonCommented:
It would seem that a machine on the internet with the IP address 98.174.230.19 is attempting to login to your database server with the sa account.

Firstly, your database server should not be available directly via the internet - this is terribly bad practice from a security and sys admin point of view.  If your server is behind a firewall or router make sure that SQL ports are not being fowarded from the internet into your LAN.
0
 
kdataAuthor Commented:
Thanks for the advice.  I closed the port on the router and that stopped the intrusion without affecting our network access.  I am not sure why the port was open in the first place.
0
 
AmericomCommented:
Even you have set your SQL to use Windows Authentication, it does not mean that you cannot use the SA account. You may want to check on the client IP address and find out where ther actual source is coming from and if it's one of your SQL admin trying to use it. Or if there's any other admin tools trying to use that account.
0
 
zeltrustCommented:
I know this is a long time issue...may i know what port is that you closed??
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now