Microsoft SQL sa password hack

Hello we are running HC with a remote MS SQL 2005 server. When setting up the SQL server for HC it was necessary to allow sa login from remote servers in order for HC to manage SQL Server databases from the primary server.

The problem with this setup is that the sa user now can be accessed from external servers anywhere and we are receiving 1000s of hack attempts at the sa password per hour. Eveytime we block a hacking ip address within hours theres another one trying to get in.

What is the solution for this issue? Do you have a support article that can be supplied with the solution?

Thank you,

As you have configured SQL Server on remote machine therefore you must have to allow remote connections to make it work and allow servers to connect remotely option will always true. The only solution is to keep your ¬sa¬ password very secure.

When you allow remote access to extenal users,. well.. that pretty much sums it up. ALL users can access.
However,. if you decided to split the services so that MSSQL server will run from a diff dedicated box, you could use internal IPs via a second NIC card.
I don¬t know if you want that solution, but that will enable you to have your server in a protected area far from outside users, yet keep it on a separate box. Perhaps a help to remove a load from primary box.

HC Support and SupermanInNY,

Thank you for the postings, I had an idea on how to resolve this issue, but wanted to see if anyone else had a solution.

SupermanInNY, I don’t think that your solutions would work in a shared hosting environment, because it would probably block anyone trying to access the server from a remote sql server client (enterprise manager, etc.) or ip address (website connecting from outside to our sql server).

The problem seems to be related to the sa user which is known as the admin user for ******* hackers.

====

Solutions I will try:

1. Create my own user on the sql server and set the users permissions to the same privileges as the admin (sa) user. This can probably be further locked down because HC does not seem to need all sa privileges (i.e. HC needs: create/delete user, create/delete database, backup/restore database, anything else?).

2. Lock down the sa user to only allow connections for sa on the local sql server (no remote access for sa), I believe this is the default setup when installing sql 2005.

3. Finally, update HC My Server :: Configure Database :: Configure MS-SQL for the new user create in step 1.

Is there any reason why this would not work?

If it works for mssql I will probably do the same for the root user in mysql.

Any input would be appreciated.

Thank you

Ok i know what your issue is with this, we have the same problem its a pain

Rename the sa user to say sqladmin
Set a really long random password i mean long

Create a new sql user called sa, create a really long random password not the same as the sqladmin account

Give the new sa account access to the tempdb make sure it doesn’t have master db access

Disable the sa user account, you can do this in the users account properties, then lock it out etc.

Now you will still get login attempts but they aren’t an issue

Oh a couple of weeks ago i altered our server status page
http://www.dhosting.co.uk/status.php
go to the bottom it shows you how many attempted logins to the sql server since service restart, all though I can’t separate them into successful and unsuccessful yet

Hope this helps, we have a really secure server setup now with loads of mods!!!!

I have spent a lot of time to analyse the safest way to provide SQL Server to our users, because in all security guidelines from Microsoft, it is strongly recommended not to allow direct access to MS SQL Server!

And here is what we have done:
We have MS SQL Server on remote server and we have denied direct access to that SQL Server.

We bought third party web application for MS SQL Server administration, called MyLittleAdmin, and installed it on primary web server, where HC resides.

So this way, using MyLittleAdmin, there is no need to allow direct access to MS SQL Server from any IP other than our HC server.

Of course, some users asked to connect using Enterprise Manager, but since MyLittleAdmin¬s GUI is very similar to EM, they accepted to administer their database this way.

Hope this will help.

Hi, Sir

Sorry to butt in :) This tiny program is free?

Theres also one called SQL Manager which comes with SQL, but support is not officialy given by MS. Theres still one more option in Java, I believe.

BTW, do you know if its possible, when a user connects via EM, not to see the other users databases in a shared environment?

Thanks

The safest way to run a shared SQL Server is to have him completely disconnected from the outside world. Here is how I have things setup on my system:

60.50.50.1 -> 192.168.0.1 - Public IP's SERVER 1
60.50.50.2 -> 192.168.0.2
60.50.50.3 -> 192.168.0.3
60.50.50.4 -> 192.168.0.4
60.50.50.5 -> 192.168.0.5

60.50.50.10-> 192.168.0.10 - Public IP's SERVER 2
60.50.50.11 -> 192.168.0.11
60.50.50.12 -> 192.168.0.12
60.50.50.13 -> 192.168.0.13
60.50.50.14 -> 192.168.0.14

192.168.0.150 - SQL SERVER (No public IP)
192.168.0.151 - BACKUP SERVER (No public IP)

Added: And I don't allow anyone to publicly use the Enterprise SQL Manager. The two customers who need to use it are VPNing into the datacenter with permissions to access only the SQL SERVER and they are then managing it through the private tunnel.

Our method still works, we get stacks of connections but no one has really DOS'ed us yet, i think the max attack we've had is 200kb/s, we now have 2z 100Mb to the net over two servers and two dc's, all internal file transfers between the servers are done over a second 100mb connection.

On our new boxes the sa account exists but ive now gone for 80 character password, just for the hell of it.

Stats from our site
Login / Connection Attempts = 233055 Since last service restart
SQL Server Uptime (Since MS SQL Service Restart)
1 day(s) 15 hour(s) 48 minute(s) 59 second(s)

So in 1 day 15hrs 233,055 connection attempts, it gets quite crazy sometimes but the method does work.

I do agree with your setup of mssql hidden from the public but we wanted to offer sql managment studio access to clients if they wanted it.

To be honest all these login attempts dont bother me, it doesnt effect general performance etc. Were going for a load balanced mssql 2005 setup shortly so any login attempts will be sent to both servers.

We may build a program to look through the event logs for invalid login attempts after so many invalid logins from a certain ip it would be blocked through IPSec.

__________________
Chris Daley
Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
www.Dwebs.ltd.uk - Web Design & Other Services
My views are my own and not those of my company.