Login failed for user 'sa'. Reason: The password does not match the provided login. [Client: **.**.**.**]
Clients are all from the public network. Is there a good solution for this?
-------------------------------------------------------------------------------
It seems that someone is attacking your database. Generally, the database is best placed on the internal network and not open to the external network.
Solutions:
1. You can change the port number of the database.
2. If SA is not used, you can Disable and then create an account with the same permissions as SA.
3. You can block external IP addresses
, but these changes need to be evaluated and do not affect the application.
-----------------------------------------------------------------------------
Occasionally check the system log of the windows server and find that there are a lot of failed sa login information. The ip is from all over the country, and sometimes there are ten login attempts per second. I am here to ask you humbly, what will such an attack do to the network speed? What kind of impact will it have on the operation of the database, and what are the best ways to stop it. At the same time, condemn such boring and untechnical attacks.
The average server can withstand hundreds of thousands of PVs. It should be fine. It’s just that there are more logs. If you change the password a little bit, you won’t be afraid of exhaustion. This kind of dictionary attacks random servers. Scan it.
Either of the following methods can be used:
The ip policy is set to a specific IP to access, local area network or only allow company IP and web server IP
Disable the sa account, usually not used, just log in remotely.
Change the default 1433 port of sql, and just change it to a later one, but the related connection applications must be changed.
For my company, not using the default port is a basic development strategy, even 21 and 3389. To change.
In web.config, you can add IP, port number: source=xx.xx.xx.xx, xxxx
Recently, it was found that the server hanging on the external network was restarted inexplicably. The server currently mainly starts the IIS service and the SQL SERVER service. After logging in remotely, I found that the system response was very slow, and there was a clear sense of stagnation. I opened the task manager, and the CPU usage was basically around 30. Open the event viewer and find a large number of records in the application whose level is MSSQL$PNCSMS, the event ID is 18456, and the task category is logged in, almost 24 hours a day, 15 records per second, each The log is mostly the same as "Login failed for user 'sa'. Reason: No login matching the provided name. [Client: 60.191.144.214]" except that the username is sometimes different, the client The client IP address will also change over a period of time (ranging from a few minutes to a few hours). After investigation, this IP address belongs to Hunan, Henan and other places.
Obviously, someone tried to invade the database by traversing the password , renamed the sa of the database, changed the TCP port of the IPALL of the database from the default 1433 to another port number (all applications have to change the connection string, painful ). After restarting the service, after running for a day, and then looking at the event viewer, no similar records could be found. The CPU usage dropped to about 5, and the system response was significantly accelerated. The problem was solved satisfactorily.
为了防止黑客遍历系统登录帐户,又将Administrator进行了更名,但更名后,SQL SERVER启动不了了,在服务中找到SQL SERVER ,对其登录帐户进行了重新设置,重启计算机,SQL SERVER启动成功了。
http://bbs.51cto.com/thread-1036422-1.html
https://q.cnblogs.com/q/11759/
https://www.2cto.com/database/201411/351107.html