MS SQL security

andybrooke
andybrooke used Ask the Experts™
on
Hi,

recently install express version and today notice in event log a lot of logon attempts it seems. Then they stop and they are a lot of success, now the afilures are from an IP I dont know of. Also looking at the success on it says now I or nobody has made any connections to the server. I'm a little confused as to what is going on possible someone trying to hack in?

Is there a way to only allow 3 logon attemps per ip?

Login succeeded for user 'GREGSON\Administrator'. Connection made using Windows authentication. [CLIENT: <local machine>]
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
event log
event.JPG
Raja Jegan RSQL Server DBA & Architect, EE Solution Guide
Awarded 2009
Distinguished Expert 2018

Commented:
>> Then they stop and they are a lot of success, now the afilures are from an IP I dont know of.

You need to concentrate more on the Failure attempts and find out the reason why a Failed login from that server or machine and either they are done manually or through an application..

>> Also looking at the success on it says now I or nobody has made any connections to the server.

Kindly check whether any background activities are scheduled in your server or not which might trigger these kind of scenriaos.

>> Is there a way to only allow 3 logon attemps per ip?

You can't do it that way..
Top Expert 2012

Commented:
You do not have SQL Server behind a firewall?  If that is the case you are just asking for trouble.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Hi,

I do have it behind a firewall but I did open the port for ms sql so I could do some testing from home t othe database. I'm goining to change it from the standard port of 1433 to something else.
Top Expert 2012

Commented:
>>I did open the port for ms sql so I could do some testing from home t othe database.<<
You should no do that.  If you need to do that, then use VPN.

>>I'm goining to change it from the standard port of 1433 to something else.<<
Unfortunately, that will not help much.

Good luck.

Author

Commented:
If I change the port number shorely this would stop attacks as how would poeple / crawlers know that the port open was related to a MS SQL server?

What VPN software do you suggest?
Thanks
Top Expert 2012

Commented:
>>If I change the port number shorely this would stop attacks as how would poeple / crawlers know that the port open was related to a MS SQL server?<<
It would take them all of 2 minutes longer to find the open port.

>>What VPN software do you suggest?<<
I have no idea.
SQL Server DBA & Architect, EE Solution Guide
Awarded 2009
Distinguished Expert 2018
Commented:
>> It would take them all of 2 minutes longer to find the open port.

Agree with it..
Its easier using many tools available to find the list of open ports available on a server and the ports that are in LISTENING state would be the ones that are used for SQL Server..
Just a random check would allow users to try logging as in your case to your server..

If possible allow connections only from the known users / logins to this database server considering its security..

Author

Commented:
Ddint really get the answer I was after.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial