Login attempt from different IPs in the errorlog

  • Morning All,

    Recently, I have analyzed one of our SQL server which hosting websites. Looks like there are plenty of logon attempt. We have disabled the SA after that.

    18456, Severity: 14, State: 8.

    18456, Severity: 14, State: 5.

    18470, Severity: 14, State: 1.

    18456, Severity: 14, State: 7.

    I have checked with our cloud vendor, they said lot of spammers are doing this and they have blocked top 20 countries which are consider as spammers.

    They have said your SQL server exposed over the WAN on the port 80, 443, 8080, 3389. They have only disabled WAN access for the SQL Server port 1433 on the firewall.

    Still I could see entries in the log.

    Ex:

    Login failed for user 'sa'. Reason: An error occurred while evaluating the password. [CLIENT: xxxx]

    Login failed for user 'ps'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]

    Login failed for user 'ps'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]

    Login failed for user 'ps'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]

    Login failed for user '401hk'. Reason: Could not find a login matching the name provided. [CLIENT: xxxx]

    Any suggestion will be great.

    • This topic was modified 2 years, 1 month ago by  Saran.
  • If TCP1433 has been blocked coming in from the internet the error should stop, however that is assuming you are actually using 1433 as the port.

    Verify the port your using as it may not be default.  Then ask them to block that port.

    Also ask them to block UDP1434 for the browser so they can’t enumerate the SQL servers.

  • Thanks for your response.

    Yes, it is default instance port is 1433. I have asked the vendor UDP 1434 already been disabled. I am not sure, how spammer / hackers are still trying with different credentials.

  • Double check your configuration settings for the network. You could have something else open and available. Ideally, we do not expose SQL Servers on the Internet in any way, only to other servers on the network.

    If that's the case, then is your app server, web server, etc. forwarding some requests? Linked servers?

  • Hi Steve,

    Thanks for your response. I will check with the vendors of N/W configuration.

    No linked server, both SQL and front end are in same host.

  • Steve Jones - SSC Editor wrote:

    Double check your configuration settings for the network. You could have something else open and available. Ideally, we do not expose SQL Servers on the Internet in any way, only to other servers on the network. If that's the case, then is your app server, web server, etc. forwarding some requests? Linked servers?

    Hi Steve,

    Just to understand, How can I find SQL Servers on the Internet or accessible by public something like that.

  • Though any of the logins in the cloud provider, else finding the server will be difficult.

    Verify the logins for your team if any one of them/all are exposed.

     

    Regards
    Durai Nagarajan

  • @Raja mssql ,

    Nothing like giving would-be hackers an advantage.  I strongly recommend that you modify your original post to NOT include your IP addresses even though it's an older post. 

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Saran wrote:

    Steve Jones - SSC Editor wrote:

    Double check your configuration settings for the network. You could have something else open and available. Ideally, we do not expose SQL Servers on the Internet in any way, only to other servers on the network. If that's the case, then is your app server, web server, etc. forwarding some requests? Linked servers?

    Hi Steve,

    Just to understand, How can I find SQL Servers on the Internet or accessible by public something like that.

    Any network can be scanned. I can send a packet to any address and look for a response on a port. That's what scanners do. These days, any system with 1434 open, or many other common ports, will get attacked. This is one reason pings aren't working for many systems. The owners don't want people to think an IP is valid, so they don't respond to ICMP packets any longer.

  • The firewall on database server should only be accepting connections from the web application server and a limited range supporting your IT department, right?

     

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell wrote:

    The firewall on database server should only be accepting connections from the web application server and a limited range supporting your IT department, right?

    Yes, that is correct. For lot of small projects like our case it is runs on express and both db and app are is same system. We have given cost to one hosting server  provider and took one VM for our application.

    After disabling tcp ip, we are not seeing any error in the  error log. But we suspect there is a leakage from website , we have minimized connection string  account permission only to read and execute SP.

  • Thanks Steve. I am working on to the server provider to have open ports to the server. Once I get list will disable unused ports.

Viewing 12 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic. Login to reply