Login failed for user 'sa'. Reason: Password did not match that for the login provided.

Posted on 2009-12-22
Last Modified: 2012-05-08
What is the best way to stop an intruder trying to access a sqlserver database?
We do have a firewall and a strong -typed password for the 'sa' account, but it seems like every day, we see different people trying to access our database engine, with the 'sa' account.  We keep adding IP's to a block list, but that is getting old.
Question by:sahkeah
    LVL 4

    Expert Comment

    Block port 1433 at the firewall .

    Author Comment

    I'll have to check that, but I think we have both ports 1433 and 1434 blocked.

    Is that the only way that they can access, if those ports are open?

    Thanks for the quick response.
    LVL 46

    Expert Comment

    Seems to me you have what lawyers call an "attractive nuisance".  It is like asking what is the best burglar alarm to use when you leave keys in the car overnight.

    Don't approach the problem by treating the symptoms.  Make the problem go away.  What is the necessity of the database being accessible in the first place to any system other than the one(s) that have need for doing queries?  Is there a php/html box that is on the internet that is also running SQL?  If so, move the database to a different machine and set it up with a dedicated ethernet card?

    Author Comment

    We just moved SqlServer 2008) to another server and this window server is 2008.
    On the other server, we use it as a 'web server', hosting the client sites.
    The client accesses their sites and the site queries the database.
    Since we are having issues with the bigger databases, we kept 3 of them on the web server.
    The web server is also running sqlserver 2005.
    None of this was happening, until we added the other server.
    LVL 16

    Expert Comment

    Either that or they were getting in before.
    LVL 46

    Expert Comment

    Understood, didn't mean to get on a soapbox. But it is incredibly difficult to lock down a web server that also hosts the database.  Imagine all of the crappy HTML, java/javascript, php, that people run on webservers along with buggy MSFT .NET, DLLs, and other well-known exploits that any script kiddie can exploit through well-known hacks.

    It is just a losing battle.  Sorry, but that is just the way it is.  You can't control the quality of client code, and as you have seen, it is being attacked. You are just looking for problems, especially, God forbid, if there are any credit cards or medical records in ANY of your databases.   Established best practices is to separate the databases from the external web servers.  IF there is ever a successful break in and sensitive information is compromised, then you are legally liable.  Charge the client extra and make them set up another server if they can't clean up their code to prevent people from sending out SQL code or getting as far as they have.

    It is irresponsible (sorry about the soapbox, but this is one of those times where you need to hear it ..) to put your entire business at risk by not locking down databases properly.  One breach and you have to make it public, and your customers will not only go away, but those customers who are into SarBox, auditing, etc.. may just want to see all of your security logs to see if it is possible that any of THEIR databases were read.  Again, if this is medical, financial, government, or one of many other things then system managers risk criminal prosecution.  It just isn't worth it.  If your company's senior management is willing to take the risk, then at least explain best practices and database risk assessment in an email with recommendation to separate the database and keep a copy for yourself.

    Then, at least, you have CYA.  (I am not an attorney, but have been  involved in some litigation between third parties and a break-in, and it got really ugly).

    LVL 57

    Accepted Solution

    Some best practices:

    1. Create one user with sysadmin privileges.
    2. Disable sa account and use that account because people might try cracking sa user account which is well known to every one.
    3. Set SQL Server to listen on port other than default port 1433
    4. Enable SQL Server Browser if your SQL Server hosts more than one instance. Else disable SQL Server Browser Service and port 1434

    Step 2 clearly would help you to solve your problem..
    LVL 16

    Expert Comment

    I agree with rrjegan17.  The steps posted would go a long way toward fixing the issue.

    Author Comment

    Thanks all for the great comments.
    Here is more information gathered so far:

    1. Disabled the 'sa' account.
       This was disabled, but the logs are still showing user or intruder trying to access.
       (Can I just remove this account?)
    2. Sql Server Configuration Manager.
       Disabled client protocols still present for default instance not being used.
    3. Ports 1433 and 1434.
       We should go ahead and change these ports or the numbers, as these are common ports used by SqlServer.

    Initially, we installed SqlServer 2005 and we need to do an uninstall on this engine.
    A.  Services have been stopped.
    B.  Network protocols on this default instance, were still enabled!

    That is why we are using port 1434, as when we installed Sqlserver 2008, we had to use
    a named instance.  Hence, a different port other than the default 1433 used for the default named instance.

    What is the port number range that can be used?  Meaning 1111 - 9999?

    Thanks again.
    LVL 57

    Expert Comment

    by:Raja Jegan R
    >> This was disabled, but the logs are still showing user or intruder trying to access

    No, Just disabling would be sufficient and ignore the users trying to access using sa account since it is already disabled..
    But find out the root cause of why and how they are trying to use it out..

    >> What is the port number range that can be used?  Meaning 1111 - 9999?

    If I suggest a port no., then I can access using it right.. ( Keep it confidential and decide an unique port which is not currently used out)
    That should be sufficient..

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Introduction In my previous article ( I showed you how the XML Source component can be used to load XML files into a SQL Server database, us…
    The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
    This tutorial will show how to inventory, catalog, and restore media from legacy versions of Backup Exec into both 2012 and 2014 versions of the software. Select Storage from the tabs along the ribbon bar as the top: Ensure the proper storage devi…
    Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now