Home / server / Questions / 996428
In Process
user828896
Asked: 2019-12-22 19:03:47 +0800 CST

Is my MS SQL Server being attacked?

  • 772

I use MS SQL Server 2017 Express Database in windows 2016 server, I am seeing that the ERRORLOG file of MS SQL Server is increasing 600MB per day.

The below is from the ERRORLOG file.

Does this mean that my MS SQL Server 2017 Express Database is being attacked?

How can I fix this problem?

2019-12-22 03:36:09.34 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:09.34 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 14.253.239.25]
2019-12-22 03:36:09.34 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:09.34 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 59.127.222.102]
2019-12-22 03:36:09.42 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:09.42 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 104.238.63.33]
2019-12-22 03:36:09.70 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:09.70 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 14.253.239.25]
2019-12-22 03:36:09.70 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:09.70 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 59.127.222.102]
2019-12-22 03:36:09.74 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:09.74 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 104.238.63.33]
2019-12-22 03:36:10.06 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:10.06 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 59.127.222.102]
2019-12-22 03:36:10.06 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:10.06 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 104.238.63.33]
2019-12-22 03:36:10.06 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:10.06 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 14.253.239.25]
2019-12-22 03:36:10.39 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:10.39 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 104.238.63.33]
2019-12-22 03:36:10.41 Logon       Error: 18456, Severity: 14, State: 8.
2019-12-22 03:36:10.41 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 14.253.239.25]
2019-12-22 03:36:10.42 Logon       Error: 18456, Severity: 14, State: 8.
sql-server

2 Answers

  1. Does it mean that MS SQL Server 2017 Express Database meet attack?

    It looks like it, yes.

    How can I fix the problems?

    Block access to your SQL server from the internet. Why is it exposed to the internet?

    • 3

  2. Your SQL server is definitely getting a logon attack. This happens almost 100% of the time a computer with SQL Server is exposed to the internet.

    Here is an option to allow only certain IP addresses (You might need to do some research on how this is done)

    If you have RDP or SSH open to the internet:

    If this is on a Linux server and you have SSH open to the internet you most likely are being attacked on SSH. Please look at this guide.

    If you are on Windows Server and you have RDP open to the internet you are also probably being attached on RDP. Please look at this guide.

    The best is not to have this open to the internet but if it is definately needed you need to make sure your security is setup correctly on the machine or with a firewall.

    • 1