1

I'm suffering an attempted invasion by brute force. A bot is trying to figure out the sa password. How do I restrict logins 3 attempts in SQL Server?

Moreover, I would like to block an IP, how can I do this?

ridermansb
  • 215
  • 3
  • 9
  • 2
    i'm surprised noone has said this. if you don't need sa, then disable it. at the very least rename the account to something else (preferably something no one can guess). if the account isn't there then they can't brute force against it. – Thirster42 May 18 '11 at 15:52
  • I can not even change the name off it because there are several applications using the sa account – ridermansb May 18 '11 at 16:35
  • that's what i was afraid of. honestly you would be a lot better off if you could create a service account for each application and implement those instead of using the sa account, but some applications are hard coded to use sa. – Thirster42 May 18 '11 at 17:12
  • How comes your SQL Server is evenv isible on the internet? I have 3 SQL server databases serving stuff for internet use, and guess what - not a single one is reachable via a public IP directly. – TomTom Sep 19 '12 at 04:54

3 Answers3

1

to go into a little bit more detail on what everone else is sorta saying, sql server was never intended to be accessed directly from the internet. The way you should access it is through a firewall, and preferably have all http requests forward to a web server which then send any sql stuff to the sql server. You should not be able to get direct access to sql server from the internet.

Thirster42
  • 354
  • 1
  • 2
  • 14
  • +1 for common sense. Whoever did set this up should go and get a job somewhere else (mcdonalds, serving burgers?). This is blatantly ignoring any reasonable setup in a hostile environment. There are ZERO reasons to have a SQL Server directly accessible on the internet. – TomTom Sep 19 '12 at 04:55
0

If you are using SQL Server 2005 and above then YOU can use LOGON triggers for this.

Refer this excellent article by security expert Brian Kelley

http://www.sqlservercentral.com/articles/Security/66151/

But you are better off handling this before it touches your SQL Server.

Sankar Reddy
  • 1,374
  • 8
  • 8
0

My sshd_block script, which monitors the event log for messages from an SSH daemon and black-holes the source IP address after a sufficient number of failed logons (or a single failed logon for a specific user like, say, "root" or "sa") could probably be adapted for the purposes you're looking for.

I don't have the spare time to do it right now. The license would allow you to do it yourself. If I find some time I might do it myself just to have that functionality in the script.

Having said all that, is there any reason why you need the entire Internet to be able to connect to your SQL Server instance? A host-based firewall rule that limits the ability to connect to the SQL Server port would go a long way toward stopping this, too. It's difficult to imagine that you have an application that needs direct SQL Server access from the entire Internet.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328