Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell

Home » Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell

For the time being, some manual labor is involved, but it is still manageable. You can use this to create your own solution to block offending IP addresses in SQL Server’s firewall.

This PowerShell solution blocks IP addresses that are trying to brute force your SQL Server logins, by blocking IP addresses in Windows Defender Firewall with Advanced Security.

Microsoft SQL Server logs failed login attempts in SQL Server Logs, which practically is the ERRORLOG file in your SQL Server Log directory. An failed login attempt is for example:

2021-09-16 00:21:04.95 Logon       Error: 18456, Severity: 14, State: 8.
2021-09-16 00:21:04.95 Logon       Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 233.252.0.12]

When writing blog posts, substitute real-world IP addresses with reserved ones. Best practice is to use Documentation scope IP addresses in net blocks 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 and 233.252.0.0/24.

Also read:

In order to protect your SQL Server from these brute force attacks, you need to block this IP address. “OK, that’s easy”, you might think. But what if there are thousands of log lines? Let’s use PowerShell to automate parsing this log and filtering IP’s to block.

In a nutshell, you’re going to use PowerShell to:

  • parse SQL Server ERRORLOG log file
  • get all IP addresses responsible for failed login attempts
  • filter out your own IP addresses (you don’t want to lock yourself out)
  • add those IP’s to the Windows Defender Firewall with Advanced Security. If it’s not listed yet, that is.
See also  How to install Microsoft's SQL Server Driver for PHP

Regexes I use in these examples are probably not strict enough, use at your own risk.

First you define a simple IP pattern regex:

$ipPattern = [Regex]::new("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")

Secondly, define a regex matching your IP space and localhost (to filter out):

# My network lives in 203.0.113.0/24
$own_IPs = [Regex]::new("(127\.0\.0\.1|203\.0\.113\.[0-9]{1,3}")

You use these two regexes to filter SQL Server’s ERRORLOG. The following gets the contents of ERRORLOG, selects all IP addresses and filters out your own IP addresses / space. It’s added to $result array:

$result = gc D:\mssql\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG | Select-String ${ipPattern} | Select-String -notmatch $own_IPs

If you want to know the contents of $result, you can get all array values with $result.Matches.value. For the time being, write it out to a text file:

$result.Matches.value | Out-File ~/ips.txt

All IP addresses are now in the text file ips.txt, in your home directory. But you need unique IP’s:

Get-Content ~/ips.txt | Sort-Object | Get-Unique -AsString | Out-File ~/unique_ips.txt

Yeah, yeah, of course you can simplify this. For the sake of this post, it’s as verbose as possible 🙂

Now you can easily loop through your unique_ips.txt file using PowerShell‘s foreach. Add IP’s to an array, filter out already blocked IP’s, and feed that array to New-NetFirewallRule. Sounds easy, right? Here it is:

$ips = @()
foreach ($ip in Get-Content .\unique_ips.txt) {
  if ((Get-NetFirewallRule -DisplayName "IP Block SQL Server" | Get-NetFirewallAddressFilter).RemoteAddress -eq $ip) {
    # debug:
    # Write-Host "IP ${ip} already blocked"
    continue
  }
  else {
    $ips += $ip
  }
}

New-NetFirewallRule -DisplayName "IP Block SQL Server" -Direction Inbound -Action Block -RemoteAddress $ips

If you do this (twice-) daily, you can keep your SQL Server pretty safe from brute force attacks. Or better: automate this.

See also  Software deployment through WDS

One-time donation

Please take a second to support Sysadmins of the North and donate, your generosity helps!

Thank you very much! <3 ❤️

0 0 votes
Article Rating
Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
Add, list and remove IP addresses in Windows Firewall - Sysadmins of the North
2025-09-16 9:26 am

[…] you have the same firewall data available as in my previous post Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell. Read that article first if you’re unsure. Let’s assume you have not yet created your firewall […]

trackback
IIS 10.0 FTP IP Security allow list - Sysadmins of the North
2025-09-16 12:33 pm

[…] Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell […]

trackback
Manually failover all databases in an SQL Server Database Mirroring configuration - Sysadmins of the North
2025-10-18 9:32 am

[…] Block brute force attacks on SQL Server, block IP addresses in Windows Firewall using PowerShell […]