Today, my SQL Server 2008 is attacked by hacker from IP address in China [4300 Login failure in last 7 hours]. I contacted GoDaddy support and below is what they told me.
EXEC sp_readerrorlog 0, 1, 'Login failed' [and result 4300+ failed login and still increasing]
As for the SQL Server brute force attack against your server you would need to determine the best method for resolving that on the server. On some systems the best solution is to simply update the firewall on the server to block access to all connections to the port for SQL Server, 1433, so that only a specific IP can access that port, however the security of your server would be up to you and as such we would not be able to guide you on changing the scope of a windows firewall rule. You may wish to review Microsoft's knowledge base for information on using and modifying the windows firewall on your server.
How can I update the firewall on the server to block access to all connections to the port for SQL Server, 1433, so that only my own IP address can access the SQL Server?
Here is what i have done so far (Next day):
I disabled the SA account, since all the attack was on SA username.
I tried to add a inbound rule in firewall for Port number 1433 to block anonymous IP address.
I tried to add a inbound rule in firewall for Program(sqlserver.exe) to block anonymous IP address.
but no WIN yet. login failed attempts is continue to increasing. Can someone guide me how to block anonymous IP on the firewall to access the SQL Server.
Best Answer
This really isn't an SQL Server issue - it seems more of a firewall issue.
If you are in a situation where your SQL Servers are directly accessible from dudes in china - I'd be sorting out why no one in your outfit is handling networking/firewalls etc
It sounds quite possible that you need to be worried about more servers than just the one you've noticed getting tickled!