What should I do about someone trying to brute force attempt to login to our SQL Server 'sa' account?

Looks like someone or something is trying a brute force attempt at logging into our production SQL Server instance with the 'sa' account. They haven't been successful because our 'sa' account is disabled, but what steps should I take to make sure things are secure?

login attempts


Solution 1:

Does your SQL server need to be publicy available to the Internet? This is usually not the case. If it absolutely has to be this way, you could restrict access by IP address or maybe set up a VPN. Obviously, make the sa password unguessable or see about restricting sa login locations from only your LAN ip addresses. Please provide more details so others can assist you with better solutions.

Solution 2:

The first thing you could do is start by blacklisting that IP address, and outright denying ANY traffic from their IP at your firewall. Of course, they may just change IPs, but at the least it'll stop them from bombarding your server with traffic and logs.

Solution 3:

Disable that port (MySQL is 3306; don't recall SQL Server's port, maybe 118?) through the firewall. Then no one can access it.
If outside access to SQL is needed, remap it to a high-numbered port, like 53535. If anyone figures out that port is open, it will be hard to guess its significance.