We’ve all seen them.
Login failed for user ‘MyDomainBob’ (password issue)
Login failed for user ‘MyDomainNancy’ (default database issue)
Login failed for user ‘blah, blah, blah…’
But what about Login Failed for user ‘Insert Chinese characters here’, Reason, An attempt to logon using SQL Authentication failed.
Wait…nobody in the company has a username with Chinese characters. And we don’t have SQL Authentication turned on….
Do not just let these messages pass you by!
These come with a client IP address at the end. I did a ping -a on the one I got, and found:
Somebox.qualys.morestuff.mydomain.com, along with 4 replies. So at least it was a valid internal IP address.
From here, I noticed Qualys in the machine’s FQDN. As luck would have it I was recently on a Vulnerability Management team (elsewhere), and Qualys was the name of one of the scanning tools we used to look for Vulnerabilities on the servers, routers, etc.
Now…I can make assumptions, but I’m not going to when it comes to something like this. I checked all the SQL Servers in my area of responsibility and found this on all but one of them.
I wrapped all of the data and findings in a nice package and sent it off to the boss to engage the security team for proper investigation and remediation. I suspect the Qualys server has a problem…this doesn’t look like one of its checks, but I’m not the expert on that.
So the point of this is not to teach you about all the ways to trouble shoot login failed messages, but rather to make sure you are investigating who is failing to log into your SQL Server and WHY.
- If you are logging successful logins, quit it. You’re filling the ERRORLOG.
- If you are not logging failed logins, start now. Don’t ignore possible hacking attempts.
- If you are not investigating login failed messages, start now, or you could be setting yourself up for this: “Yeah, that data breach of user and HIPAA information was missed by our DBA.”
That is a serious RGE and CLM you don’t need.
That is all for today.
Waffle fries for lunch 🙂
The OnPurpose DBA