Azure: Many Failed Login Attempts Logged
https://dba.stackexchange.com/questions/112611
-
29-09-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I run a SQL Server on an Azure Virtual Machine. I have noticed in the Event Logs of the server lots of failed SQL Login attempts using a ton of different usernames (none of which exist):
Login failed for user 'kisadminnew1'. Reason: Could not find a login matching the name provided. [CLIENT: 124.117.233.94]
Login failed for user 'djapple'. Reason: Could not find a login matching the name provided. [CLIENT: 124.117.233.94]
Login failed for user 'China'. Reason: Could not find a login matching the name provided. [CLIENT: 124.117.233.94]
Login failed for user 'vice'. Reason: Could not find a login matching the name provided. [CLIENT: 124.117.233.94]
In all there's probably a few hundred random attempts all at the same time overnight.
Should I be concerned about this? Does it look like somebody is trying to get access to my SQL Server through brute force and is this common?
Solution
Is the TCP port SQL Server is listening on open globally?
If so, yes I'd be concerned. If there is a password that can be brute-forced or guessed, or an exploit that allows someone to bypass authentication, eventually your database could be compromised. You'll also be vulnerable to attacks that don't require access, such as someone filling up the drive that that has SQL Server error logs on it by creating many failed logins every second.
If the TCP port is open to the internet, the unwanted login attempts are normal. Based on my experience working at ISPs and hosting companies, a machine that's exposed to the internet will get probed on well-known ports all day (and port scanned periodically) if traffic isn't being dropped by a firewall.
On the other hand, if you have restrictive firewall rules that explicitly allow 124.117.233.94 through, it's likely that one of your customers or colleagues at that address has had a computer compromised.
You can currently read about controlling traffic to Azure Virtual Machines here. A good practice is to drop everything by default and explicitly allow only the traffic you want. Perhaps someone else will edit this to add further information.
