September 23, 2021 at 4:25 am
Morning All,
Recently, I have analyzed one of our SQL server which hosting websites. Looks like there are plenty of logon attempt. We have disabled the SA after that.
18456, Severity: 14, State: 8.
18456, Severity: 14, State: 5.
18470, Severity: 14, State: 1.
18456, Severity: 14, State: 7.
I have checked with our cloud vendor, they said lot of spammers are doing this and they have blocked top 20 countries which are consider as spammers.
They have said your SQL server exposed over the WAN on the port 80, 443, 8080, 3389. They have only disabled WAN access for the SQL Server port 1433 on the firewall.
Still I could see entries in the log.
Ex:
Login failed for user 'sa'. Reason: An error occurred while evaluating the password. [CLIENT: xxxx]
Login failed for user 'ps'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]
Login failed for user 'ps'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]
Login failed for user 'ps'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]
Login failed for user '401hk'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]
Any suggestion will be great.
September 23, 2021 at 5:26 am
If TCP1433 has been blocked coming in from the internet the error should stop, however that is assuming you are actually using 1433 as the port.
Verify the port your using as it may not be default. Then ask them to block that port.
Also ask them to block UDP1434 for the browser so they can’t enumerate the SQL servers.
September 23, 2021 at 11:45 am
Thanks for your response.
Yes, it is default instance port is 1433. I have asked the vendor UDP 1434 already been disabled. I am not sure, how spammer / hackers are still trying with different credentials.
September 23, 2021 at 2:43 pm
Double check your configuration settings for the network. You could have something else open and available. Ideally, we do not expose SQL Servers on the Internet in any way, only to other servers on the network.
If that's the case, then is your app server, web server, etc. forwarding some requests? Linked servers?
September 24, 2021 at 3:44 am
Hi Steve,
Thanks for your response. I will check with the vendors of N/W configuration.
No linked server, both SQL and front end are in same host.
November 20, 2022 at 3:29 am
Double check your configuration settings for the network. You could have something else open and available. Ideally, we do not expose SQL Servers on the Internet in any way, only to other servers on the network. If that's the case, then is your app server, web server, etc. forwarding some requests? Linked servers?
Hi Steve,
Just to understand, How can I find SQL Servers on the Internet or accessible by public something like that.
November 20, 2022 at 2:50 pm
Though any of the logins in the cloud provider, else finding the server will be difficult.
Verify the logins for your team if any one of them/all are exposed.
Regards
Durai Nagarajan
November 20, 2022 at 4:59 pm
@Raja mssql ,
Nothing like giving would-be hackers an advantage. I strongly recommend that you modify your original post to NOT include your IP addresses even though it's an older post.
--Jeff Moden
Change is inevitable... Change for the better is not.
November 21, 2022 at 3:31 pm
Steve Jones - SSC Editor wrote:Double check your configuration settings for the network. You could have something else open and available. Ideally, we do not expose SQL Servers on the Internet in any way, only to other servers on the network. If that's the case, then is your app server, web server, etc. forwarding some requests? Linked servers?
Hi Steve,
Just to understand, How can I find SQL Servers on the Internet or accessible by public something like that.
Any network can be scanned. I can send a packet to any address and look for a response on a port. That's what scanners do. These days, any system with 1434 open, or many other common ports, will get attacked. This is one reason pings aren't working for many systems. The owners don't want people to think an IP is valid, so they don't respond to ICMP packets any longer.
November 21, 2022 at 9:06 pm
The firewall on database server should only be accepting connections from the web application server and a limited range supporting your IT department, right?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 22, 2022 at 2:59 am
The firewall on database server should only be accepting connections from the web application server and a limited range supporting your IT department, right?
Yes, that is correct. For lot of small projects like our case it is runs on express and both db and app are is same system. We have given cost to one hosting server provider and took one VM for our application.
After disabling tcp ip, we are not seeing any error in the error log. But we suspect there is a leakage from website , we have minimized connection string account permission only to read and execute SP.
November 22, 2022 at 3:00 am
Thanks Steve. I am working on to the server provider to have open ports to the server. Once I get list will disable unused ports.
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply