I am having an issue and could not figure out how to handle it. I have a SQL Server on a Windows 2008 R2 server. This SQL Server 2005 is being used to receive DB subscriptions from another SQL Server located elsewhere on the Internet. I have the sql server port open through the firewall, however in the scope, I have entered the IP of the other SQL Server. Doing so I hoped that connection requests through that port will not reach the SQL Server unless the requests are coming from the other SQL Server (whose IP is listed in the scope in the firewall rule). But, when I see the log, there are hundreds of "login failed user sa" entries (and they are coming each passing second). It appears some hacker is trying brute force to guess user sa password. But the question is, why Windows is letting these request reach the SQL Server even though they are not coming from the IP address that is listed in the firewall scope? What is the right way to protect this SQL Server. No other IP than the IP of the other SQL Server needs to connect to this sql server.
EDIT – Further Info:
I ran telnet on the sql server port from different machines. Telnet fails except when it is run from the machine that is specifically mentioned in the firewall scope. So it appears that the firewall is blocking the sql server port fine. But then why I am seeing those failed login requests to user "sa" from different IP addresses in SQL Server log? Is it possible the hacker is entering the machine via port 80 and then somehow trying to connect to the sql server? Port 80 and 443 are open to everybody. All other ports are closed with the exception of the sql server port (and that is open only for one specific IP). There is nothing running on the Webserver at port 80 that may lead a visitor to SQL server. In fact, there is only one index.html (pure HTML with no connection to SQL) file in the Web server. This is just a test server being setup for future use. Only test data in SQL Server.
EDIT:
I turned on firewall tracing to include both drop and success connections. It is now tracing everything. Then I go to SQL Server log where I see these failed login attempts from different IP addresses in China. But there are no entries for these IP addresses in the firewall log. How is this possible? Can they get to SQL server bypassing firewall completely? If suppose some firewall port was open that they could enter through, the firewall log should show an entry for that IP address. I am at a complete loss.
Best Answer
Sounds like your firewall isn't configured correctly. This is the first step.
Normally I wouldn't pimp a book that I wrote, but in this case I'll make an exception. It's called Securing SQL Server and it'll give you a good start.