how to block an IP

Posted on 2008-11-19
Last Modified: 2013-12-04
I have been observing in 'application log' from 'event viewer'. It comes to my notice that some body is trying to trace the password of my sqlserver. I think for hacking the database the user might be using a program for tracing username and password, this comes to my notice because log shows every millisecond's event (audit failure). The user logs in from IP and uses username 'sa' at the same time he logs in from IP and uses username 'albatross' or 'password'.
Please tell me
1. How is it happening?
2. How to block or restrict these two IPs( &
3. How to protect my sqlserver from hackers?
Question by:umeshmodi
    LVL 17

    Assisted Solution


    Put the sql server behind a hardware firewall or setup a local security policy to block those addresses.  The firewall will be more effective though as they will simply change the address of attack and you'd be constantly editing your security policy with the new addresses.
    LVL 9

    Accepted Solution

    How it is happening?
    People will always try to attack your systems and find a way to get in. There are several programs that will try to get the password by bruteforce by trying every single password that they can generate.
    How to block the IP's
    You can do several things to protect your server from attacks.
    1. Firewall
    2. IP SEC
    3. Local security policy
    1. Firewall
    When you exception on the SQL Server port you can block traffic from a certain ip address to your server
    2.  IP SEC
    Configure IP Sec policy to block ip address from the attacker's machine. IPSec is available on windows 2000, XP and windows 2003. This is a website that can help you:
    3. Local security policy
    For this option look at this article:
    How to protect your SQL Server
    Be sure to have all the latest security updates. If you don't have a firewall installed on your SQL Server do so. Be sure to have antivirussoftware installed on your server.
    LVL 60

    Assisted Solution

    1. How is it happening?

    There should be some process attempting unauthorised login and enumerating through the default accounts and password and brute forcing the credentials. One possible tool is SQLDict (dictionary attack tool, an exe)
    At the first place the sql should not have been exposed directly to the "wild", the malicious attempt may have gotten in based on the default port exposed as they are scanning.
    From the IPs (, they are from India and Yugoslavia (but of course they may not be the real IP as well), looks like a concerted attempts else separate entity.

    2. How to block or restrict these two IPs( &

    As suggested above, and adding on can consider also  
    a) Proxy setup to anonymise and hide your IP with Firewall guarding and screening the inbounds. If you are not from the same locality, set rule to block those IP subnets but it is interim.
    b) Establish secure authentication in sql via SSL ( but this rather tedious

    3. How to protect my sqlserver from hackers?

    a) Change the default accounts and enforce strong password
    (make sure the hardcodes are updated, if any)
    b) Enforce password lockout policy (so no brute force can be successful),289142,sid87_gci1102101,00.html
    c) My suggestion is to close remaining services (telnet, remote services, etc) not needed in the sql box and also has least privilege for the SQL services
    d) May also want to consider monitoring agent to be setup to alert when something "funny" are triggered

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    Title # Comments Views Activity
    Low-cost /freeware IOC tools 4 42
    SQL help 5 42
    Parsing the XML data to SQL Server 4 36
    SQL Agent Timeout 5 26
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now