• Skip to content
  • Skip to primary sidebar

DallasDBAs.com

Explaining SQL Server in plain english

Header Right

  • Home
  • Blog
  • Services
  • Pocket DBA™
  • Speaking
  • Contact
  • About

Login Failed for user…

August 4, 2016 by Kevin3NF Leave a Comment

We’ve all seen them.

Login failed for user ‘MyDomainBob’ (password issue)
Login failed for user ‘MyDomainNancy’ (default database issue)
Login failed for user ‘blah, blah, blah…’

But what about Login Failed for user ‘Insert Chinese characters here’, Reason, An attempt to logon using SQL Authentication failed.

Wait…nobody in the company has a username with Chinese characters.   And we don’t have SQL Authentication turned on….

Do not just let these messages pass you by!

These come with a client IP address at the end.  I did a ping -a on the one I got, and found:

Somebox.qualys.morestuff.mydomain.com, along with 4 replies.   So at least it was a valid internal IP address.

From here, I noticed Qualys in the machine’s FQDN.  As luck would have it I was recently on a Vulnerability Management team (elsewhere), and Qualys was the name of one of the scanning tools we used to look for Vulnerabilities on the servers, routers, etc.

Now…I can make assumptions, but I’m not going to when it comes to something like this.   I checked all the SQL Servers in my area of responsibility and found this on all but one of them.

I wrapped all of the data and findings in a nice package and sent it off to the boss to engage the security team for proper investigation and remediation.  I suspect the Qualys server has a problem…this doesn’t look like one of its checks, but I’m not the expert on that.

So the point of this is not to teach you about all the ways to trouble shoot login failed messages, but rather to make sure you are investigating who is failing to log into your SQL Server and WHY.

  • If you are logging successful logins, quit it.   You’re filling the ERRORLOG.
  • If you are not logging failed logins, start now.   Don’t ignore possible hacking attempts.
  • If you are not investigating login failed messages, start now, or you could be setting yourself up for this:  “Yeah, that data breach of user and HIPAA information was missed by our DBA.”

That is a serious RGE and CLM you don’t need.

That is all for today.

Waffle fries for lunch 🙂

Kevin3NF
The OnPurpose DBA

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to email this to a friend (Opens in new window)
  • Click to print (Opens in new window)

Related

Filed Under: Uncategorized

About Kevin3NF

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Search

Sign up for blogs, DBA availability and more!


Categories

  • Accidental DBA
  • Apprentice
  • Azure
  • backup
  • backup
  • Beginner
  • Career
  • Configuration
  • Cycling
  • Dallas DBAs
  • Deployment
  • Emergency
  • Encryption
  • EntryLevel
  • Fries
  • Goals
  • HADR
  • Index
  • Install
  • IRL
  • Management
  • Oracle
  • PASS
  • Performance
  • Personal
  • Pluralsight
  • PowerShell
  • Puzzle
  • red gate
  • Restore
  • Security
  • Speaking
  • SQL
  • sql 2005 log shipping suspect
  • sql injection
  • SQLSaturday
  • SSIS
  • SSMS
  • Summit
  • TIL
  • Tools
  • Training
  • Troubleshooting
  • TSQL
  • TSQL2sday
  • Uncategorized
  • vendor code modify
  • video
  • vNext

Copyright © 2019 · Genesis Sample on Genesis Framework · WordPress · Log in

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.