What should I do if I find someone is brute forcing my server password?

Solution 1:

Unfortunately for any server exposed to the public internet, this is pretty much a fact of life. There will always be some moron trying to hack in. My private server sees several thousand invalid login attempts every day.

You could put a firewall in front, and do port forwarding from an obscure port to the RDP port. This isn't going to protect anything, but at least some of the traffic will go away.

You could report the most frequent IP addresses in the log to the relevant service provider (use whois to find out the service provider for a given IP address. The whois response will also give you an email address for abuse and spam). I have had some success with this in the past.

On a linux machine I always recommend a package called fail2ban, which monitors the ssh logs and then creates temporary firewall rules to block any ssh traffic from these addresses. That usually stops the attacks dead in their tracks. I am not aware of any equivalent packages for a Windows Server, sorry.

Solution 2:

Practically, make it longer (eg 30 character pass phrase) and change it regularly.

Why is your SQL Server exposed to the internet too?

Solution 3:

The solution to brute force attacks (outside of preventing access addressed in other answers) is to make it less likely they'll succeed.

• Complex passwords (no common words, special characters, mix of upper/lower case, toss some numbers in ... at LEAST 8 characters long ... mine are 15 or more.)
• A timer on login attempts. An automatic attack can't spam login attempts if you only allow one every 15 seconds or 3 attempts/minute or however you're able to limit it.
• A lockout policy ... 3 failed attempts and it locks out for a set time i.e. a half hour. This can be troublesome if it's an admin account, naturally.

Solution 4:

I am typically just blocking IPs. For distributed attacks, temporary blocks of IP segments depending on the geographic origin.