Is it possible to expand on the idea presented in
Ban IP address based on X number of unsuccessful login attempts?
to encompass IP addresses for repeated failed sql server login attempts?
There are log entries in the Application log for each failed attempt.
Source = MSSQLSERVER
EventID = 18456 and 18452
EDIT 1:In Michael Khalili's response, the #Select Ip addresses that has audit failure
powershell section could be replaced by:
#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Application' -InstanceId 3221243928 -After $DT | Select-Object @{n='CLIENT';e={$_.ReplacementStrings[-1]} }
This gives a list from the application log but isn't in a similar format leading into the #Get ip addresses, that have more than x wrong logins
powershell section.
I'm not confident the selection is proper.
Best Answer
Check out ts_block. I use it on my win2k3 server to block multi failed ssh attempts and it works great. Just modify config for remote MSSQL connections.