What should I do about someone trying to brute force attempt to login to our SQL Server 'sa' account?

Solution 1:

Does your SQL server need to be publicy available to the Internet? This is usually not the case. If it absolutely has to be this way, you could restrict access by IP address or maybe set up a VPN. Obviously, make the sa password unguessable or see about restricting sa login locations from only your LAN ip addresses. Please provide more details so others can assist you with better solutions.

Solution 2:

The first thing you could do is start by blacklisting that IP address, and outright denying ANY traffic from their IP at your firewall. Of course, they may just change IPs, but at the least it'll stop them from bombarding your server with traffic and logs.


Solution 3:

The login attempts to involve attempts to inject some malicious code. I recommend blocking this activity with a permanent blacklist using either the server's firewall software or a third party external firewall.

Also, reduce the number of allowed login failures as this will automatically block the intruder's IP address.

Above will minimise this.


Solution 4:

Disable that port (MySQL is 3306; don't recall SQL Server's port, maybe 118?) through the firewall. Then no one can access it.
If outside access to SQL is needed, remap it to a high-numbered port, like 53535. If anyone figures out that port is open, it will be hard to guess its significance.


Solution 5:

It's probably just some script kiddie running a scanner and not worth your time pursuing. I would look at not having your database accessible from the Internet.