{"id":1633,"date":"2026-01-02T20:55:30","date_gmt":"2026-01-02T20:55:30","guid":{"rendered":"https:\/\/b2bhostingclub.com\/blog\/?p=1633"},"modified":"2026-02-04T14:14:36","modified_gmt":"2026-02-04T14:14:36","slug":"how-to-prevent-brute-force-login-attacks-on-mssql","status":"publish","type":"post","link":"https:\/\/b2bhostingclub.com\/blog\/how-to-prevent-brute-force-login-attacks-on-mssql\/","title":{"rendered":"How to Prevent Brute-force Login Attacks on MSSQL"},"content":{"rendered":"<div class=\"d-title pt-10 pb-0\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-left d-text-left d-title-inner\">\n<h2 id=\"introduction\" class=\"col col-md-10 d-h2 d-color-black  core-title\">Introduction<\/h2>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"d-paragraph-card\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters pt-4 pb-1\">\n<div class=\"col\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">If you are running Microsoft SQL Server, you may be aware that your SA account is subject to a brute force attack. Nearly every SQL server connected to the Internet is under constant attack. Once a hacker is able to gain access to a SA (DBA) account, or even a normal user account, it can gain full access to the file system on the server and even the files on the network it is connected to.<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">By detecting logins that fail and block their IP address for some time, you will most likely have them move on to attack another server instead. We can create firewall rules that stop the attackers after a few attempts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"d-title pt-10 pb-0\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-left d-text-left d-title-inner\">\n<h2 id=\"3-steps-to-prevent-brute-force-attacks-on-mssql-on-windows\" class=\"col col-md-10 d-h2 d-color-black  core-title\">3 Steps to Prevent Brute-force Attacks on MSSQL on Windows<\/h2>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"d-paragraph-card\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters pt-4 pb-1\">\n<h3 class=\"col col-md-12 d-h3 d-color-black d-fs-20 d-fw-600 d-lineheight-24 core-title\">Step 1. Open Login Auditing<\/h3>\n<div class=\"col\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\"><span class=\"fm-msr fm-msr-fill d-fs-12\">fiber_manual_record<\/span>\u00a0Enable auditing of service login authentication so that the SQL log will record relevant login information.<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<div class=\"d-text-start\"><img decoding=\"async\" class=\"d-img d-lazy-img\" src=\"https:\/\/images.cloudclusters.io\/0ed1cf1b3b1a4cb7a0842bd13f22a188\/MSSQL-Properties.png\" alt=\"MSSQL Properties\" width=\"480\" \/><\/div>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<div class=\"d-text-start\"><img decoding=\"async\" class=\"d-img d-lazy-img\" src=\"https:\/\/images.cloudclusters.io\/beb2f856f5a140589676e60f12d11642\/MSSQL-Server-Properties.png\" alt=\"MSSQL Server Properties\" width=\"680\" \/><\/div>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\"><span class=\"fm-msr fm-msr-fill d-fs-12\">fiber_manual_record<\/span>\u00a0Configure Log files size and count<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<div class=\"d-text-start\"><img decoding=\"async\" class=\"d-img d-lazy-img\" src=\"https:\/\/images.cloudclusters.io\/d75d3c1f714d44f8af659dae71cea26d\/SQL-Server-Configure.png\" alt=\"SQL Server Configure\" width=\"480\" \/><\/div>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<div class=\"d-text-start\"><img decoding=\"async\" class=\"d-img d-lazy-img\" src=\"https:\/\/images.cloudclusters.io\/736d7e32ad744374800518e780af7483\/Configure-SQL-Server-Error-Logs.png\" alt=\"Configure SQL Server Error Logs\" width=\"680\" \/><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"d-paragraph-card\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters pt-4 pb-1\">\n<h3 class=\"col col-md-12 d-h3 d-color-black d-fs-20 d-fw-600 d-lineheight-24 core-title\">Step 2. Analyze log files<\/h3>\n<div class=\"col\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">Microsoft SQL Server logs failed login attempts in SQL Server Logs, which practically is the ERRORLOG file in your SQL Server Log directory. An failed login attempt is for example:<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<pre class=\"d-fs-normal d-lineheight-26 mb-0\">2021-09-16 00:21:04.95 Logon       Error: 18456, Severity: 14, State: 8.\r\n2021-09-16 00:21:04.95 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 213.252.0.12]<\/pre>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<div class=\"d-text-start\"><img decoding=\"async\" class=\"d-img d-lazy-img\" src=\"https:\/\/images.cloudclusters.io\/e6c515dd77594030a1f5083f43a3275e\/Analyze-log-files.png\" alt=\"Analyze log files\" width=\"680\" \/><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"d-paragraph-card\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters pt-4 pb-1\">\n<h3 class=\"col col-md-12 d-h3 d-color-black d-fs-20 d-fw-600 d-lineheight-24 core-title\">Step 3. Add abnormal IP to firewall<\/h3>\n<div class=\"col\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">Add the analyzed dangerous IP source addresses, such as 1.1.1.1 and 1.1.1.2, to the local firewall.<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<div class=\"d-text-start\"><img decoding=\"async\" class=\"d-img d-lazy-img\" src=\"https:\/\/images.cloudclusters.io\/b4b49ceeaf1a44579774f7117dcda2a9\/Add-abnormal-IP-to-firewall.png\" alt=\"Add abnormal IP to firewall\" width=\"980\" \/><\/div>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">In order to protect your SQL Server from these brute force attacks, you need to block this IP address. \u201cOK, that\u2019s easy\u201d, you might think. But what if there are thousands of log lines? Let\u2019s use PowerShell to automate parsing this log and filtering IP\u2019s to block.<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">In a nutshell, you\u2019re going to use PowerShell to:<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\"><span class=\"fm-msr fm-msr-fill d-fs-12\">fiber_manual_record<\/span>\u00a0parse SQL Server ERRORLOG log file<br \/>\n<span class=\"fm-msr fm-msr-fill d-fs-12\">fiber_manual_record<\/span>\u00a0get all IP addresses responsible for failed login attempts<br \/>\n<span class=\"fm-msr fm-msr-fill d-fs-12\">fiber_manual_record<\/span>\u00a0filter out your own IP addresses (you don\u2019t want to lock yourself out)<br \/>\n<span class=\"fm-msr fm-msr-fill d-fs-12\">fiber_manual_record<\/span>\u00a0add those IP\u2019s to the Windows Defender Firewall with Advanced Security. If it\u2019s not listed yet, that is.<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">Note: We will develop a small tool for our customers to use, please pay attention to updates here.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"d-title pt-10 pb-0\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-left d-text-left d-title-inner\">\n<h2 id=\"how-to-prevent-brute-force-login-attacks-on-sql-server-on-linux\" class=\"col col-md-10 d-h2 d-color-black  core-title\">How to Prevent Brute Force Login Attacks on SQL Server on Linux<\/h2>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"d-paragraph-card\">\n<div class=\"container\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters pt-4 pb-1\">\n<div class=\"col\">\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">The method to prevent brute force login attacks on SQL Server on Linux systems is similar to that on Windows. Moreover, Linux is more convenient because there is a powerful and free fail2ban tool available.<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">There is a script on Github\uff08<a class=\"d-color-primary\" href=\"https:\/\/github.com\/ToulisDev\/fail2ban-action-mssql\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/ToulisDev\/fail2ban-action-mssql<\/a>\uff09 to add banned ips from fail2ban to your MS SQL server using ban-action from fail2ban. (Tested on Ubuntu Server)<\/p>\n<\/div>\n<\/div>\n<div class=\"row row-cols-1  justify-content-start d-text-start d-title-inner no-gutters\">\n<div class=\"col\">\n<p class=\"mb-0\">For more information about the use of Fail2ban, you can visit\u00a0<a class=\"d-color-primary\" href=\"https:\/\/www.b2bhostingclub.com\/blog\/how-to-prevent-ssh-brute-force-attacks-on-linux-using-fail2ban\" target=\"_blank\" rel=\"noopener\">How to Prevent SSH Brute-Force Attacks on Linux Using Fail2ban<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction If you are running Microsoft SQL Server, you may be aware that your SA account is subject to a brute force attack. Nearly every SQL server connected to the Internet is under constant attack. Once a hacker is able to gain access to a SA (DBA) account, or even a normal user account, it [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":1634,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1633","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-hosting"],"_links":{"self":[{"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/posts\/1633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/comments?post=1633"}],"version-history":[{"count":1,"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/posts\/1633\/revisions"}],"predecessor-version":[{"id":1635,"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/posts\/1633\/revisions\/1635"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/media\/1634"}],"wp:attachment":[{"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/media?parent=1633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/categories?post=1633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/b2bhostingclub.com\/blog\/wp-json\/wp\/v2\/tags?post=1633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}