I'm helping a customer with an exposed SQL Server 2005. They will not budge on a firewall or VPN solution, and their logs are full of signs of a brute force attack.
Is there way to auto-ban an IP address after X failed logons to SQL Server 2005?
Asked
Active
Viewed 914 times
3 Answers
1
No, at least not within SQL Server because SQL Server doesn't track based on IP in this manner. The IP address is exposed in the EventData for a logon trigger (added in SP2), but a logon trigger only fires with a successful logon event. A failed login wouldn't cause the trigger to fire. Running a trace where you're auditing for Failed Login security events would reveal the hostname, but this can be spoofed and it's not guaranteed to be the IP.
Could you approach this from a performance perspective? Every one of those failed hits does cause SQL Server to spin up a connection which costs CPU and memory. Because there isn't a front-end network device to filter these bad connections, the server, and SQL Server, isn't getting the performance it could get.
K. Brian Kelley
- 9,004
- 31
- 33
-
+1 for the performance angle. – p.campbell Jul 16 '10 at 14:07
0
Not directly within the SQL Server world. What about changing from the default port (1433) to a different port number?
jl.
- 1,076
- 8
- 10
0
Have you suggested SmoothWall? It's free, can't get much more budget-friendly than that!
You wouldn't even NEED a beige box for it, as you can acquire a VMWare appliance.
p.campbell
- 4,397
- 6
- 40
- 51