May 2023 Discount: Comprehensive Database Performance Health Check | Testimonials

SQL SERVER – Someone was trying to hack my SQL Server Logins in Azure!

Pinal Dave
SQL, SQL Server, SQL Tips and Tricks
No Comments

When I started to work with SQL Server on Azure VMs, I was completely excited because now the need to build local VMs has become super easy. If I need something for testing, then I know I can get a SQL Server instance in a jiffy and it can be brought down as soon as my work is done. The more we start working with softwares on the cloud, it is important to also understand the nuances of security that we need to be aware. I recently noticed the ERRORLOG on my virtual machine sitting in Azure and was surprise to see below error in ERRORLOG multiple times every minute.

Error: 18456, Severity: 14, State: 5.
Login failed for user ‘KISAdmin’. Reason: Could not find a login matching the name provided. [CLIENT: xx.174.233.xx] Error: 18456, Severity: 14, State: 7.
Login failed for user ‘sa’. Reason: An error occurred while evaluating the password. [CLIENT: xx.174.233.xx] Error: 18456, Severity: 14, State: 5.
Login failed for user ‘KHB’. Reason: Could not find a login matching the name provided. [CLIENT: xx.174.233.xx] Error: 18456, Severity: 14, State: 5.
Login failed for user ‘Chred1433’. Reason: Could not find a login matching the name provided. [CLIENT: xx.174.233.xx]

(I have masked the IPs in error messages above)

I realized that

  1. The IP address listed was not an IP which I know
  2. Account shown in login failed messages doesn’t exist on my SQL server instance.

Since this is a virtual machine in Microsoft Azure, I checked the endpoints for this VM as they are responsible for any entry to the sever from the outside world. Here is what I saw.

SQL SERVER - Someone was trying to hack my SQL Server Logins in Azure! hack-01

As we can see above that I have created endpoint for SQL Server on port 1433 and it’s a very well-known port used by SQL Server. My theory about hacking became more firm when I attempted to do remote desktop on the IP given in the error message.

SQL SERVER - Someone was trying to hack my SQL Server Logins in Azure! hack-02

Here are my suggestions:

  1. If Login failed message says <local machine> it is less likely to be hacker, but some process somewhere on the machine.
  2. Above is also true if the IP address is within your organization.
  3. If the IP Address is outside your organization, then answer is simple – don’t expose your SQL Server on the Internet. Else you may want to take below steps
    1. Change SA password and make sure its complex.
    2. If you don’t need SQL Authentication, don’t use it. Change the mode to Windows only.

In my case, since its and VM in Azure and I have to stay with SQL authentication so I changed the public port to something different and then there were no more Login failed attempts from that machine. When I searched, I also found article from Microsoft as below

https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-sql-server-security-considerations/

Interesting my simple idea of using non-default endpoint of not listed there but they do ask to use ACL for endpoints for better security of SQL running on Azure virtual machine.

Do you check SQL ERRORLOG regularly to monitor the server’s security?

Reference: Pinal Dave (https://blog.sqlauthority.com)

SQL Server Security
Previous Post
Interview Question of the Week #052 – Print String in Reverse Order
Next Post
SQL SERVER – FIX: sp_rename error Msg 15225 – No item by the name of ‘%s’ could be found in the current database

Related Posts

Leave a Reply

Idera
Quest

Pinal Dave is an SQL Server Performance Tuning Expert and independent consultant with over 21 years of hands-on experience. He holds a Masters of Science degree and numerous database certifications.

Pinal has authored 13 SQL Server database books and 49 Pluralsight courses. To freely share his knowledge and help others build their expertise, Pinal has also written more than 5,600 database tech articles on his blog at https://blog.sqlauthority.com.

Pinal is an experienced and dedicated professional with a deep commitment to flawless customer service. If you need help with any SQL Server Performance Tuning Issues, please feel free to reach out at pinal@sqlauthority.com.

Pinal is also a CrossFit Level 1 Trainer (CF-L1) and CrossFit Level 2 Trainer (CF-L2).

Nupur Dave is a social media enthusiast and an independent consultant. She primarily focuses on the database domain, helping clients build short and long term multi-channel campaigns to drive leads for their sales pipeline.

Exclusive Newsletter

Comprehensive Database Performance Health Check

Is your SQL Server running slow and you want to speed it up without sharing server credentials? In my Comprehensive Database Performance Health Check, we can work together remotely and resolve your biggest performance troublemakers in less than 4 hours.

Once you learn my business secrets, you will fix the majority of problems in the future.

SQL Server Performance Tuning Practical Workshop

Have you ever opened any PowerPoint deck when you face SQL Server Performance Tuning emergencies? SQL Server Performance Tuning Practical Workshop is my MOST popular training with no PowerPoint presentations and 100% practical demonstrations.

Essentially I share my business secrets to optimize SQL Server performance.