MS-SQL Brute-Force Protection

• MS-SQL Brute-Force Protection Overview
• How to enable MS-SQL logging
• How to enable and configure MS-SQL Brute-Force Protection

Protection Overview

RdpGuard allows you to effectively stop password guessing brute-force attacks on your MS-SQL server.

It monitors system event logs (Application) for MS-SQL failed login attempts (Event ID 18456) and blocks IP addresses if the number of failed login attempts reaches a set limit.

These events are written by MS-SQL server if corresponding option is turned on in MS-SQL Management Studio.

To enable logging for failed MS-SQL login attempts

1. Start Microsoft SQL Server Management Studio

2. Right-click on your server and choose Properties

Right-click on your server and choose Properties

Server Properties dialog will open:

MS-SQL Server Properties dialog

3. Navigate to Security and check the Login auditing group.

4. Set Login auditing to Failed logins only or Both failed and successful logins.

5. Click OK.

To Enable MS-SQL Server Protection

1. Start RdpGuard Dashboard and click on the link next to MS-SQL

MS-SQL Protection Link in RdpGuard Dashboard

MS-SQL Settings dialog will open:

MS-SQL Protection Settings Dialog

2. Turn on Enable MS-SQL protection

3. Turn on the events you would like to monitor:

Event ID 18456 - in most cases these events inidicate brute-force attack on MS-SQL Server. It is always enabled.

Event ID 17832 - this event may also be a part of an attack on MS-SQL server. You may also enable it if you receive multiple 17832 events with the message like "The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library"

Event ID 17836 - this event may also be a part of an attack on MS-SQL server. You may also enable it if you receive multiple 17836 events with the message like "Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library"

4. Click Save

Exclusions for Event ID 18456

In some cases you may want to exclude 18456 Events from processing based on the Reason field in event details.

1. Click the Exclusions link next to the Event ID 18456 check-box

Click the Exclusions link

MS-SQL Exclusions dialog will open

MS-SQL Exclusions dialog

2. Enter exclusion patterns for the Reason field. One exclusion pattern per line. Event ID 18456 will be skipped from processing if the Reason field contains any of the exclusion patterns.

3. Click Save

RdpGuard protects:

• Remote Desktop
• MS-SQL Server
• FTP Protocol
• HTTP Protocol
• IMAP Protocol
• POP3 Protocol
• SMTP Protocol
• IIS Web Login
• MySQL Server
• ASP.NET Forms
• RD Web Access
• VoIP (SIP Protocol)
• SSH Protocol

RdpGuard

 

People like RdpGuard!