Re: sa loginname being hacked
From: Joe Yong (NO_jyong_SPAM_at_scalabilityexperts.com)
Date: 10/19/05
- Next message: Sophie Guo [MSFT]: "RE: Authenticate via Active Directory from PC that's not joined the do"
- Previous message: Joe Yong: "Re: SQL 2005 - Schema permissions"
- In reply to: Rob R. Ainscough: "Re: sa loginname being hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Oct 2005 23:15:50 -0500
Yes, a riddiculously long password can make it difficult to get in though it
will still burn up a couple of cycles rejecting the wrong password.
Can't disable or rename SA in SQL Server 2000 but you can rename in 2005. In
the meantime, you can consider having SQL Server listen on a different port
if you can control how the users/apps will access SQL Server. Not a
foolproof solution but it makes it just a tad harder for the average script
kiddie since they're likely scanning default ports.
Auto blocking of IPs can be tricky to do right especially if the attacker is
smart about spoofing and the auto-blocker might block valid addressess (that
were temporarily spoofed).
SQL Server isn't so bad. I grew up with Oracle then moved to SQL Server. I
thought it was bad that Oracle had a handful of high permission accounts
that are left active on the server after they're used for the installation
process. When Oracle locked things down in 9i, I discovered there were
almost 20 such accounts (I only knew of a few before that). Point is, many
vendors were not as diligent back then as they are now. I can't think of
anyone that's guilt free.
Btw, your "bait and trap" is also known as a honeypot and has been used in
many agencies for a long time. It can be amusing watching them wander around
in your maze if you've got the graveyard shift and everything else is
running fine. :-)
joe.
"Rob R. Ainscough" <robains@pacbell.net> wrote in message
news:e5A%23HGC1FHA.2964@TK2MSFTNGP09.phx.gbl...
> Pipo,
>
> Use a long password -- it maybe a matter of time, but even at login
> attempt every 1 second it would be several million years before they'd
> even reach the 1/2 way point in possible combinations -- do the math, you
> can figure out how long it would take to process every possible
> combination. These types of hackers are really pretty stupid -- I find
> them annoying because of the resources they use on my SQL Server and
> bandwidth.
>
> I do a daily check using netstat -n and then just add new SQL hacker IP
> addresses to my IPSec blocking configuration. I'm coding a solution that
> can update my IPSec dynamically and re-open blocked IPs when/if they come
> clean -- couple of days coding in what little free time I have.
>
> Tis an annoying problem for sure and 90% of the attacks are from foreign
> countries (I live in the US) with the majority coming from Korea and few
> from Russia -- Russian attacks are easy to spot for me, takes them a good
> 10 seconds before they can even re-attempt a login.
>
> I'm also setting up an bait and trap SQL Server with fake CC info that is
> REAL easy to get into (not too easy or else the hacker may get suspecious)
> and then waiting for the 'real' identity to attempt to get in and extract
> data (also coding a program to help me with this on my own time) -- you
> might say I'm getting personal about these attackers. Hey someone has got
> to do it since Microsoft have dropped the ball and don't seem that
> interested. Of course, with IP spoofing nothing is really secure or
> guaranteed -- this is just to identify the lame hackers, but since most
> are in Korea it ain't like anything can be done about it (although I do
> have some ideas -- bait CC/SS numbers that when used request arrest of the
> person using it -- ya know, all the typical things that SHOULD be
> happening at large corporations and banks that have the resources but
> don't implement anything but do charge you for anti-identity theft).
>
> Rob.
>
> "Pipo" <Pipo@home.com> wrote in message
> news:OAK3n%23l0FHA.560@TK2MSFTNGP12.phx.gbl...
>> Hi,
>>
>> Is there a way to change the sa as loginname?
>> At work we are getting haked by 'brut-force', every second we are beinbg
>> attacked with sa and a password.
>> It's a matter of time when the password will be hacked, so changing the
>> password isnt a solution.
>> If we also can change the sa loginname we will be better of.
>> Or is there something else we can do to prevent the hackers to get our sa
>> password?
>>
>> Many thanks
>>
>
>
- Next message: Sophie Guo [MSFT]: "RE: Authenticate via Active Directory from PC that's not joined the do"
- Previous message: Joe Yong: "Re: SQL 2005 - Schema permissions"
- In reply to: Rob R. Ainscough: "Re: sa loginname being hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
