how to block an IP

I have been observing in 'application log' from 'event viewer'. It comes to my notice that some body is trying to trace the password of my sqlserver. I think for hacking the database the user might be using a program for tracing username and password, this comes to my notice because log shows every millisecond's event (audit failure). The user logs in from IP 213.16.19.14 and uses username 'sa' at the same time he logs in from IP 80.93.230.82 and uses username 'albatross' or 'password'.
Please tell me
1. How is it happening?
2. How to block or restrict these two IPs(213.16.19.14 & 80.93.230.82)
3. How to protect my sqlserver from hackers?
Umesh ModiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

2PiFLCommented:

Put the sql server behind a hardware firewall or setup a local security policy to block those addresses.  The firewall will be more effective though as they will simply change the address of attack and you'd be constantly editing your security policy with the new addresses.
0
Sander StadSysteemontwikkelaar, Database AdministratorCommented:
How it is happening?
People will always try to attack your systems and find a way to get in. There are several programs that will try to get the password by bruteforce by trying every single password that they can generate.
How to block the IP's
You can do several things to protect your server from attacks.
  1. Firewall
  2. IP SEC
  3. Local security policy
1. Firewall
When you exception on the SQL Server port you can block traffic from a certain ip address to your server
2.  IP SEC
Configure IP Sec policy to block ip address from the attacker's machine. IPSec is available on windows 2000, XP and windows 2003. This is a website that can help you:http://support.microsoft.com/kb/313190
3. Local security policy
For this option look at this article: http://www.webhostingtalk.com/archive/index.php/t-364172.html
How to protect your SQL Server
Be sure to have all the latest security updates. If you don't have a firewall installed on your SQL Server do so. Be sure to have antivirussoftware installed on your server.
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
1. How is it happening?

There should be some process attempting unauthorised login and enumerating through the default accounts and password and brute forcing the credentials. One possible tool is SQLDict (dictionary attack tool, an exe) http://ntsecurity.nu/toolbox/sqldict/
At the first place the sql should not have been exposed directly to the "wild", the malicious attempt may have gotten in based on the default port exposed as they are scanning.
From the IPs (http://www.geobytes.com/IpLocator.htm?GetLocation), they are from India and Yugoslavia (but of course they may not be the real IP as well), looks like a concerted attempts else separate entity.

2. How to block or restrict these two IPs(213.16.19.14 & 80.93.230.82)

As suggested above, and adding on can consider also  
a) Proxy setup to anonymise and hide your IP with Firewall guarding and screening the inbounds. If you are not from the same locality, set rule to block those IP subnets but it is interim.
b) Establish secure authentication in sql via SSL (http://support.microsoft.com/kb/316898) but this rather tedious

3. How to protect my sqlserver from hackers?

a) Change the default accounts and enforce strong password
(make sure the hardcodes are updated, if any)
b) Enforce password lockout policy (so no brute force can be successful)
http://searchsqlserver.techtarget.com/news/article/0,289142,sid87_gci1102101,00.html
c) My suggestion is to close remaining services (telnet, remote services, etc) not needed in the sql box and also has least privilege for the SQL services
(see http://searchsqlserver.techtarget.com/generic/0,295582,sid87_gci1325004,00.html?asrc=SS_CLA_301336&psrc=CLT_87#1)
d) May also want to consider monitoring agent to be setup to alert when something "funny" are triggered
(see http://manageengine.adventnet.com/products/applications_manager/sql-server-management.html?adwords01mssql1&CampaignID=200301402&gclid=COvMoefjgZcCFQwcegodwmxhXg)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.