How To Determine If Ipsec Block Ip Address Is Working?

[kpgraci]

I'm getting a lot of brute force attacks on my sql server sa account, usually from a variety of IP addresses, but there was one IP that kept coming back for several days, so I created an IPSec policy to block it. My question: Is there a way to tell (event?) that the IP address attempted to connect but was blocked? (this almost seem counter-intuitive, but who knows?)

 

I ask because I want to make sure my block works. Obviously if I see the IP address show up in my sql logs again I know it did not, but not showing up again does not prove it did work. Also I'd like the satisfaction of seeing the IP blocked. :)

 

BTW, I need sql authentication, but I have already renamed and disabled the sa account so there is no danger of being hacked, I just don't like my sql logs filling up with attempted logins.

[ICTCity]

Hi, there's a "simple" way to monitor ipsec:

 

(from microsoft's KB):

In Group Policy, expand Local Computer Policy.

Locate and then click Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy.

In the details pane, right-click Audit logon events, and then click Security.

Click to select Success, click to select Failure, and then click OK.

In the details pane, right-click Audit object access, and then click Security.

Click to select Success, click to select Failure, and then click OK.

 

You can also install network monitor to see what is happening on your network.

 

Regarding the bruteforce attemp, I suggest you to block every account after 3-5 attempts for 15-30 mins, this will not block brute force but MAYBE the attacker will be disappointed and he will find an easier target :)