on 2022 Nov 17 9:40 AM
The database (SQL Anywhere 17) is "attacked" by an unknown application.
We receive dozens of messages:
I. 11/17 13:07:20. Connection from XX.X.XX.XXX:XXXXX assigned connection ID 224
E. 11/17 13:07:20. Connection ID 224: Connection error '28000': Invalid user ID or password
It does not reach the login_procedure, the message appears at the user/password verification stage.
Whether there is an opportunity means of a DB to learn what user and what application tries to connect to a DB?
ps I don't want to specify the number of failed login attempts, as it is suspected that a "good" user is using a "bad" password hidden in the application.
Request clarification before answering.
You can get the userid by enabling auditing. See https://help.sap.com/docs/SAP_SQL_Anywhere/61ecb3d4d8be4baaa07cc4db0ddb5d0a/3bcea97f6c5f1014addcf626...
But I wouldn't log to the transaction log for the output as the tutorial suggests. Use an event file instead: https://help.sap.com/docs/SAP_SQL_Anywhere/61ecb3d4d8be4baaa07cc4db0ddb5d0a/812cbb736ce2101490b7fab4...
Unfortunately, auditing doesn't log the "appinfo" string which contains the client app executable name, etc. I'm not sure if it is available to the server that early in the connection attempt but, if it is, I think we should enhance auditing to record it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Oh, wait. You can also create a ConnectFailed event. It will have access to the appinfo (and the user).
CREATE EVENT: https://help.sap.com/docs/SAP_SQL_Anywhere/93079d4ba8e44920ae63ffb4def91f5b/816bb10e6ce21014b9c1ffdd...
Available event parameters for ConnectFailed: https://help.sap.com/docs/SAP_SQL_Anywhere/93079d4ba8e44920ae63ffb4def91f5b/81f7991d6ce21014b2ec94fd...
User | Count |
---|---|
52 | |
8 | |
5 | |
5 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.