login failure

I get a LOT of these errors on the SQL server audit log

Event Type:      Failure Audit
Event Source:      MSSQLSERVER
Event Category:      Logon
Event ID:      18456
Date:            6/16/2013
Time:            8:31:02 PM
User:            N/A
Computer:      2003SERVER
Description:
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 173.208.191.52]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 0b 00 00 00 32 00 30 00   ....2.0.
0010: 30 00 33 00 53 00 45 00   0.3.S.E.
0018: 52 00 56 00 45 00 52 00   R.V.E.R.
0020: 00 00 07 00 00 00 6d 00   ......m.
0028: 61 00 73 00 74 00 65 00   a.s.t.e.
0030: 72 00 00 00               r...    


Does this mean someone is trying to hack the server from the web?  How do I stop this?
al4629740Asked:
Who is Participating?
 
hlapradeConnect With a Mentor Commented:
Not sure I am following your question, but using Windows Authentication Mode definitely you are able to endure you security applying specific policies to your cases and block a user after certain attempts, using Active Directory if you have one, but mostly I will focus on searching on your web server all SA users defined on string connections, because first, it is not a good practice to use SA to access your database from the your Web Server. Change your SA to a stronger pass, if you think that is really the case and then try to sniff your way to it, you can use wireshark but it is bit complex.
You can also use your command prompt at your db server and do

netstat -n -o >sniff.txt

That will create a text file on your local directory, that way you can see connections established to your DB server, you can do the same on your web server and again monitor and cross reference.

Luke
0
 
hlapradeCommented:
Hi al4629740, that is a pretty straight forward message, if I were you I will look for a string connection that do have the wrong password of the SA, maybe there was a password changed no long ago? How did you setup your access to your DB engine, Windows Authentication Mode or Mixed mode.
The best thing you should do is have your SA password changed again, use a strong password, I know is a pain in the rear end but it is important for security. Do you have any more extrange messages? Post them.
Another approach is trying to identify patterns, date time etc. If you really think you have a attempt to break in, use a sniffer to identify the ip trying to access your database and cross reference it to your event error date/time.

Luke
0
 
al4629740Author Commented:
Can I set the number of unsuccessful attempts to the database server Limiting that to about five or 10 entries
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.