It is not uncommon for me to review the event logs of our SQL Server and notice that someone is attempting to figure out the password for one of the SQL user accounts.........especially the "sa" username. But lately our SQL server has to be rebooted to where it is starting to become a nightly thing.
Last night the SQL Server was bombarded with attempted failed connections for 2 hours before it finally gave a blank BSOD. The SQL Server in question is in mixed mode and is a shared server. Strictly using Windows Authentication mode is not an option for us. The server has "beefy" hardware and has all updates and patches.
Sometimes, when I log on the server and notice that an IP address is making such attacks on the server, I put up an IPSEC policy against that IP. But that is not a good solution for reasons I dont think need to be outlined here.
So my question is, what can I do to better protect our SQL Server from these types of attacks? My thought on these attacks is not different than a DDOS that eventually takes the server down.
I have already done TCP/IP Hardening but not sure what else to do.
Another solution might be to implement some form of challenge-response mechanism. For instance, if the access to the SQL Server is via a web page, have that web page (or one of its predecessors) enable the specific IP or MAC address for port 1433 for some arbitrary period of time. If the access is via a two-tier client, use an RPC to do the same thing. This will effecitvely cut off your SQL Server from all but pre-approved machines, and it is much less cumbersome for the user than using VPN to acheive similar results.