LockedMicrosoft SQL sa password hack

2006/06/09 11:10:03 (permalink)

Microsoft SQL sa password hack

Hello we are running HC with a remote MS SQL 2005 server. When setting up the SQL server for HC it was necessary to allow sa login from remote servers in order for HC to manage SQL Server databases from the primary server.

The problem with this setup is that the sa user now can be accessed from external servers anywhere and we are receiving 1000s of hack attempts at the sa password per hour. Eveytime we block a hacking ip address within hours theres another one trying to get in.

What is the solution for this issue? Do you have a support article that can be supplied with the solution?

Thank you,

8 Replies Related Threads

    HC Team
    Hosting Controller
    RE: Microsoft SQL sa password hack 2006/10/06 08:34:47 (permalink)
    As you have configured SQL Server on remote machine therefore you must have to allow remote connections to make it work and allow servers to connect remotely option will always true. The only solution is to keep your ¬sa¬ password very secure.
    Junior Member
    RE: Microsoft SQL sa password hack 2006/12/06 09:33:09 (permalink)
    When you allow remote access to extenal users,. well.. that pretty much sums it up. ALL users can access.
    However,. if you decided to split the services so that MSSQL server will run from a diff dedicated box, you could use internal IPs via a second NIC card.
    I don¬t know if you want that solution, but that will enable you to have your server in a protected area far from outside users, yet keep it on a separate box. Perhaps a help to remove a load from primary box.
    RE: Microsoft SQL sa password hack 2006/12/06 17:43:39 (permalink)

    HC Support and SupermanInNY,

    Thank you for the postings, I had an idea on how to resolve this issue, but wanted to see if anyone else had a solution.

    SupermanInNY, I don’t think that your solutions would work in a shared hosting environment, because it would probably block anyone trying to access the server from a remote sql server client (enterprise manager, etc.) or ip address (website connecting from outside to our sql server).

    The problem seems to be related to the sa user which is known as the admin user for ******* hackers.


    Solutions I will try:

    1. Create my own user on the sql server and set the users permissions to the same privileges as the admin (sa) user. This can probably be further locked down because HC does not seem to need all sa privileges (i.e. HC needs: create/delete user, create/delete database, backup/restore database, anything else?).

    2. Lock down the sa user to only allow connections for sa on the local sql server (no remote access for sa), I believe this is the default setup when installing sql 2005.

    3. Finally, update HC My Server :: Configure Database :: Configure MS-SQL for the new user create in step 1.

    Is there any reason why this would not work?

    If it works for mssql I will probably do the same for the root user in mysql.

    Any input would be appreciated.

    Thank you
    Premium Member
    RE: Microsoft SQL sa password hack 2006/06/22 14:58:10 (permalink)
    Ok i know what your issue is with this, we have the same problem its a pain

    Rename the sa user to say sqladmin
    Set a really long random password i mean long

    Create a new sql user called sa, create a really long random password not the same as the sqladmin account

    Give the new sa account access to the tempdb make sure it doesn’t have master db access

    Disable the sa user account, you can do this in the users account properties, then lock it out etc.

    Now you will still get login attempts but they aren’t an issue

    Oh a couple of weeks ago i altered our server status page
    go to the bottom it shows you how many attempted logins to the sql server since service restart, all though I can’t separate them into successful and unsuccessful yet

    Hope this helps, we have a really secure server setup now with loads of mods!!!!
    Senior Member
    RE: Microsoft SQL sa password hack 2006/07/19 08:54:26 (permalink)
    I have spent a lot of time to analyse the safest way to provide SQL Server to our users, because in all security guidelines from Microsoft, it is strongly recommended not to allow direct access to MS SQL Server!

    And here is what we have done:
    We have MS SQL Server on remote server and we have denied direct access to that SQL Server.

    We bought third party web application for MS SQL Server administration, called MyLittleAdmin, and installed it on primary web server, where HC resides.

    So this way, using MyLittleAdmin, there is no need to allow direct access to MS SQL Server from any IP other than our HC server.

    Of course, some users asked to connect using Enterprise Manager, but since MyLittleAdmin¬s GUI is very similar to EM, they accepted to administer their database this way.

    Hope this will help.
    Premium Member
    RE: Microsoft SQL sa password hack 2006/07/20 11:10:03 (permalink)
    Hi, Sir

    Sorry to butt in :) This tiny program is free?

    Theres also one called SQL Manager which comes with SQL, but support is not officialy given by MS. Theres still one more option in Java, I believe.

    BTW, do you know if its possible, when a user connects via EM, not to see the other users databases in a shared environment?

    RE: Microsoft SQL sa password hack 2006/10/22 09:54:39 (permalink)
    The safest way to run a shared SQL Server is to have him completely disconnected from the outside world. Here is how I have things setup on my system: -> - Public IP's SERVER 1 -> -> -> ->> - Public IP's SERVER 2 -> -> -> -> - SQL SERVER (No public IP) - BACKUP SERVER (No public IP)

    Added: And I don't allow anyone to publicly use the Enterprise SQL Manager. The two customers who need to use it are VPNing into the datacenter with permissions to access only the SQL SERVER and they are then managing it through the private tunnel.
    Premium Member
    RE: Microsoft SQL sa password hack 2006/10/24 08:26:30 (permalink)
    Our method still works, we get stacks of connections but no one has really DOS'ed us yet, i think the max attack we've had is 200kb/s, we now have 2z 100Mb to the net over two servers and two dc's, all internal file transfers between the servers are done over a second 100mb connection.

    On our new boxes the sa account exists but ive now gone for 80 character password, just for the hell of it.

    Stats from our site
    Login / Connection Attempts = 233055 Since last service restart
    SQL Server Uptime (Since MS SQL Service Restart)
    1 day(s) 15 hour(s) 48 minute(s) 59 second(s)

    So in 1 day 15hrs 233,055 connection attempts, it gets quite crazy sometimes but the method does work.

    I do agree with your setup of mssql hidden from the public but we wanted to offer sql managment studio access to clients if they wanted it.

    To be honest all these login attempts dont bother me, it doesnt effect general performance etc. Were going for a load balanced mssql 2005 setup shortly so any login attempts will be sent to both servers.

    We may build a program to look through the event logs for invalid login attempts after so many invalid logins from a certain ip it would be blocked through IPSec.

    Chris Daley
    Dwebs Ltd Director :: Company No. 05603664 :: Phone No. (UK) 0870 803 4423
    www.Dhosting.co.uk - Web Hosting, Domain Registration, Windows 2003 NLB Cluster with HC 6.1!!!
    www.Dwebs.ltd.uk - Web Design & Other Services
    My views are my own and not those of my company.
    Jump to: