Overview of the issue:
It is a third party SQL server with lot of login attempts trying to login SQL server from different IP address which are all out of our IP ranges. Errors in the log as below.
18456, Severity: 14, State: 8.
18456, Severity: 14, State: 5.
18456, Severity: 14, State: 7.
Login failed for user ‘sa’. Reason: An error occurred while evaluating the password. [CLIENT: x.x.x.x]
Login failed for user ‘xx’. Reason: Could not find a login matching the name provided. [CLIENT: x.x.x.x]
It tried with many logins and most of the hits are from USA using SA account.
As a first step, have renamed the SA account and started working with cloud provider and disabled lot of unused and non-secure ports with default SQL port 1433 as well – Disabled 80,443,8080,1433. Since our SQL server is over the WAN. Had a firewall NAT rule activated. Blocked all country except India and USA where our clients are using it.
Still, there was a logon hits.
The final solution being a DBA to change the port from default to non default number. After changing port the hits are disappeared.
