A new client of ours has a legacy web app on Win Server 2008 R2 and when we started diagnosing the event logs, there were multiple ip's in China trying to hit both their sa sql account and trying to rdp into the box (every 2 or 3 seconds for days on end).
So for some quick clarification: 1) The web app doesn't use the sa account and the sa pwd is secure (and not trivial) 2) The sql server is on the same box (for the immediate future) that the web app is on. 3) We've blacklisted all the offending IP addresses so far, but there's no way these guys will stop and in fact it usually only takes them a few hours to get a new IP.
As I am a dev and we usually use Azure to avoid some of these infrastructure issues, some of this is a little new to me and I was firstly wanting to see if there was some blatant best practice that we're missing.
Secondly, and to the heart of the title, is there away to automate the IPSec rules? Since the only reason there would be a reference to an invalid login attempt on the sa account would be a hacking attempt, could I set something up to say "if you see a message come through the event log with 'There has been an invalid login attempt with user 'sa'', then it's a hack attempt and add the offending IP address to the blacklist".