0

I've created an Azure container instance with MSSQL container image. It starts. However before even login, or even putting the URL in to use, I've checked the container logs and it's being hit with traffic. As this is a MSSQL DB server, it receives login attempts. Below shows a sample from log.

2020-09-25 10:59:39.66 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.55]
2020-09-25 10:59:39.69 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.69 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.56]
2020-09-25 10:59:39.70 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.70 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.56]
2020-09-25 10:59:39.72 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.72 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.56]
2020-09-25 10:59:39.74 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.74 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.56]
2020-09-25 10:59:39.76 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.76 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.56]
2020-09-25 10:59:39.79 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.79 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.55]
2020-09-25 10:59:39.83 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.83 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.56]
2020-09-25 10:59:39.85 Logon       Error: 18456, Severity: 14, State: 8.
2020-09-25 10:59:39.85 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 10.240.255.55]
2020-09-25 10:59:39.87 Logon       Error: 18456, Severity: 14, State: 8.

Also I've created the DNS name with a random text and number. However still I'm having the requests. As per the above log, the username always comes as 'sa' however I saw there are some other guesses also.

How malicious users/bots find newly created instances? Is everything goes to a registry? Is there anyway to avoid these unwanted requests?

inckka
  • 191
  • 10
  • Not the answer to your question but ... Why is your instance accepting all those connections in the first place? A database is typically not a public resource and you can and should quite easily be able to restrict access to only known sources rather than allowing the whole internet access – Bob Sep 25 '20 at 13:30
  • Those IP addresses appear to be within your own VPC, so you should look for one of your own other containers or VMs as the source. – Michael Hampton Sep 25 '20 at 17:08
  • @HermanB This is hosted as a Container Instance (Azure). And an App Service (Azure) consumes this database. Both services are in same region but separately created. Anyway some firewall rule will be apply to CI soon. I'd be more than thankful if you could point to a different solution. – inckka Sep 28 '20 at 03:54
  • @MichaelHampton I suspected the same as the IP mataches with my current docker container's (App service) IP range. However right after creating this Container Instance, using a randomly generated DNS name even without touching App Service code, or even configuring MSSQL studio (sql client) I'm wondering how the traffic comes in? – inckka Sep 28 '20 at 03:58

0 Answers0