Is it possible to expand on the idea presented in

Ban IP address based on X number of unsuccessful login attempts?

to encompass IP addresses for repeated failed sql server login attempts?

There are log entries in the Application log for each failed attempt. Source = MSSQLSERVER EventID = 18456 and 18452

EDIT 1:In Michael Khalili's response, the #Select Ip addresses that has audit failure powershell section could be replaced by:

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Application' -InstanceId 3221243928 -After $DT | Select-Object @{n='CLIENT';e={$_.ReplacementStrings[-1]} }

This gives a list from the application log but isn't in a similar format leading into the #Get ip addresses, that have more than x wrong logins powershell section.

I'm not confident the selection is proper.

  • 3
    If you're talking login attempts from the internet, I think a better solution would be to stop exposing a database server directly to the Internet. – Rob Moir Feb 11 '13 at 15:24
  • apologies in advance for the post formatting. i'm trying to figure it out. – user2056045 Feb 11 '13 at 15:57
  • I tried to turn off tracking protection in case it was blocking some scripts but no change (still ignores single line breaks and code blocks). Thanks longneck for the edit to correct the layout. – user2056045 Feb 11 '13 at 16:20
  • The most common way is to lock the account, using AD Account lockout policies. If there is an threat actor brute forcing you shoud stop him before he reaches your machines. – Ace Jul 02 '22 at 16:27

2 Answers2


Check out ts_block. I use it on my win2k3 server to block multi failed ssh attempts and it works great. Just modify config for remote MSSQL connections.

  • 398
  • 4
  • 11
  • Thanks. I'd like to continue with powershell though. – user2056045 Feb 11 '13 at 15:48
  • 1
    We really do prefer that answers have content, not pointers to content. This may theoretically answer the question however, it would be preferable to include the essential parts of the answer here, and provide the link for reference. – Chris S Feb 11 '13 at 15:48

I think I solved this...I get the previous idea, your line to retrieve the data and performed some mod...here is...

(And sorry for my dirty code..It was my 1st time working with PS)

$DT = [DateTime]::Now.AddDays(-1) 

$l = Get-EventLog -LogName 'Application' -InstanceId 3221243928 -After $DT | Select-Object @{n='CLIENT';e={$_.ReplacementStrings[-1]} }
$g = $l | group-object -property CLIENT  | where {$_.Count -gt 10} | Select -property Name

$fw = New-Object -ComObject hnetcfg.fwpolicy2 

$ar = $fw.rules | where {$_.name -eq 'Blocks'} 

$arRemote = $ar.RemoteAddresses -split(',') 

$w = $g | where {$_.Name.Length -gt 1 -and  !($arRemote -contains $_.Name + '/') } 

$x = $w.Name.Replace(" [CLIENT: ","")

$z = $x.Replace("]","")
$h = ""
for($i=0;$i -lt $z.Count;$i++)
    $h += $z[$i]
    $h +="/"
    $h += ","
$full = $h + $ar.remoteaddresses
$fullarray = $full.Split(',') 

$newlist = $fullarray | select -uniq

$ips = "";
for($i=0;$i -lt $newlist.Count;$i++)
    $ips += $fullarray[$i]
    if($i -lt ($newlist.Count -1))
        $ips +=","

$w| %{$ar.remoteaddresses = $ips} # add IPs to firewall rule
  • 9,114
  • 4
  • 44
  • 56
Marco Jr
  • 123
  • 3