Sql Failure Audits Every Second

Question

I'm looking at my event viewer on my computer and seeing that every single event in the Applicaiton event viewer is a Failure Audit for SQL Server. The properties of the event all say

Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 78.111.98.132]

Does this mean that there is somebody trying to crack my password? IS there anyway to stop this? Also there don't seem to be any other events beside this one, is there a reason for that?

This is a Windows Server 2003 R2 Enterprise edition, w/ Service Pack 2 running SQL Server Standard 2008

Answer 1

The IP you gave traces to a Turkish ISP in Istanbul, and I suspect that is not where you expecting login attempts, certainly not to SA.

Unless you absolutely need it, disable the SA account, ban the IP range and then get more info on server hardening.

Answer 2

Any SQL Server exposed to the internet will get hundreds of such events per hour. There are many bots scanning constantly for weak sa passwords on the default SQL server port. Moving the SQL Server listenning port will add some very marginal value, there are just as many scans searching for any open port. While you can blacklist suspicious IPs, attackers usualy have herds and herds of IPs to use, so is a loosing battle.

The real solution is to withdraw your SQL Server from the internet altogether. Do you have any specific reason why its listenning to the net? You don't have to change the physical location, just configure the SQL Server endpoints to listen only on the local and intranet addresses.