Security Question | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Security Question

Hi All, In my SQL Server Logs, I’m getting periods of time where this messages appears: Login failed for user ‘sa’ multiplie times within minutes. Sometimes the a different user name is used: Login failed for user ‘server’
Login failed for user ‘sql’
Login failed for user ‘database’
Login failed for user ‘admin’
Login failed for user ‘root’
Login failed for user ‘user’ Is this someone trying to hack into my server?!? Thanks,
Larry
Hi Larry, Yes it definitely looks very suspicious. This is not normal for a production system Cheers
Twan
See what process is currently on SQL server while these failed messages were logged.
What is default netlib used?
What is the authentication mode used?
Take help of PROFILER & PERFMON by capturing counters and trace. Also have a look at event viewer for any information on network performance.
If possible get network sniffer to scan for any issues. _________
Satya SKJ
Moderator
SQL-Server-Performance.Com

Are you seeing these messages in SQL Server error logs ? I thought login failures will not be recorded into error logs. You may enable security audit on O/S level to attempt to see which workstations these requests are coming from.
If the SQL Server audit level is set to Failure then you will see the above error messages.
The same will be recorded in event viewer Security logs. _________
Satya SKJ
Moderator
SQL-Server-Performance.Com

]]>