I have to configure account lock after N unsuccessful login attempts on MSSQL 2017 Linux. That is standalone server and is not in AD.
I couln'd find any valuable information so far unfortunately. Perhaps because Linux platform is quite fresh for MSSQL Server. Thank you for any advice here.
Sql-server – How to lock a MSSQL (2017 Linux) account after N unsuccessful login attempts
linuxsql serversql-server-2017
Related Solutions
Yes, you can but you have to set everything up.
SQL Server (SQL) Login
When you enable the Enforce password policy option in the SQL Server Login window, you are basically telling the SQL Server to adhere either to the local security policy or to the policy defined in the domain.
The enforcement of password policy can be configured separately for each SQL Server login. Use ALTER LOGIN (Transact-SQL) to configure the password policy options of a SQL Server login. The following rules apply to the configuration of password policy enforcement:
- When CHECK_POLICY is changed to ON, the following behaviors occur:
- CHECK_EXPIRATION is also set to ON unless it is explicitly set to OFF.
- The password history is initialized with the value of the current password hash.
- Account lockout duration, account lockout threshold, and reset account lockout counter after are also enabled.
and also:
The security policy might be set in Windows, or might be received from the domain. To view the password policy on the computer, use the Local Security Policy MMC snap-in (secpol.msc).
Reference: Password Policy (MSDN / SQL Server 2012)
Setting Policy (locally)
So if you require an account to be locked out after 3 wrong tries, then you either have to define a local policy with secpol.msc or define a domain policy for account lockout.
Example in secpol.msc
SQL Server will then use this policy if the Enforce password policy option is checked.
A technical overview of the account lockout policy can be found here:
Reference: Account Lockout Policy Technical Overview (MSDN)
Reference: Account lockout threshold (MSDN)
Locked out SQL Login
Here is what happens after a SQL Login has been locked out after the set amount of incorrect logins (15 in my case as domain policy). You can see the Login is locked out is set. This can be unset to unblock the account.
If you are running the GUI on the same machine as the mssql-server service, then you can use localhost for the address (127.0.0.1). If you are running the GUI from a different workstation, you'll need the IPv4 address of the machine where the mssql-server service is running. You can obtain that by running ifconfig from a Linux terminal prompt. Sample output from ifconfig:
eth0: flags=4163 mtu 1500
ether 00:15:5d:89:45:01 txqueuelen 1000 (Ethernet)
RX packets 423 bytes 137827 (134.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163 mtu 1500
inet 192.168.200.11 netmask 255.255.255.0 broadcast 192.168.200.255
inet6 fe80::2f70:9d15:8e7d:16cb prefixlen 64 scopeid 0x20
ether 00:15:5d:89:45:04 txqueuelen 1000 (Ethernet)
RX packets 20138 bytes 2006000 (1.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19756 bytes 30125657 (28.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 3239 bytes 361340 (352.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3239 bytes 361340 (352.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
In the output above, the bit that is important is the "inet" address, which in my case is 192.168.200.11.
The default port for SQL Server is 1433 - unless you chose a different port in mssql-conf use that port number. Ensure the firewall on the Linux box is allowing outside connections via 1433, if you intend to connect to SQL Server via the network.
Use sa as the login, and the password you specified during SQL Server setup via the sudo /opt/mssql/bin/mssql-conf setup command.
I would leave the domain and unix socket path blank.
Once you have connected to the instance, you may want to configure a non-sa account. Do that with the CREATE LOGIN statement.
Just an FYI, you can use SQL Server Management Studio to connect to SQL Server on Linux, if that's your desire. Alternately, you can download Microsoft's native GUI client for Linux (and Windows & Mac), Azure Data Studio, here.
Related Question
- Sql-server – Machine login for Microsoft SQL Server for Linux
- Sql-server – Cannot systemctl start/stop mssql. mssql-server stuck in script upgrade mode. Cannot login either
- SQL Server 2019 on Linux – initdata: No Memory for Kernel Buffers
- SQL Server Memory Errors – How to Fix Multiple Memory Errors in Error Log
- Should Filesystem Journaling Be Disabled for MS SQL Server on Linux/Windows?
Best Answer
I think you need to use a server / login trigger. Aaron Bertrand wrote a cool little article about combining login triggers and extended events here - https://www.mssqltips.com/sqlservertip/3582/prevent-and-log-certain-sql-server-login-attempts/