forked from lyhabc/SQLServer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
AddressingHackers.sql
52 lines (37 loc) · 1.09 KB
/
AddressingHackers.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
CREATE TABLE ##Hack(
LogDate DATETIME,
ProcessInfo VARCHAR(25),
Text VARCHAR(500)
)
INSERT INTO ##Hack
EXEC sp_readerrorlog 0,1,'Login failed'
DECLARE @CountAttempts TABLE(
UserName VARCHAR(100)
)
INSERT INTO @CountAttempts (UserName)
SELECT SUBSTRING(Text,(CHARINDEX('''',Text)+1),((CHARINDEX('''',Text,(CHARINDEX('''',Text)+1))-(CHARINDEX('''',Text))))-1)
FROM ##Hack
WHERE Text LIKE 'Login failed for user%'
-- Adjust timeframe as needed
AND LogDate BETWEEN DATEADD(HH,-2,GETDATE()) AND GETDATE()
DECLARE @user TABLE(
ID INT IDENTITY(1,1),
UserName VARCHAR(100)
)
INSERT INTO @user (UserName)
SELECT DISTINCT UserName
FROM @CountAttempts
GROUP BY UserName
-- Adjust count to environment
HAVING COUNT(UserName) > 10
DECLARE @begin INT = 1, @max INT, @usr VARCHAR(100), @sql NVARCHAR(MAX)
SELECT @max = MAX(ID) FROM @user
WHILE @begin <= @max
BEGIN
SELECT @usr = UserName FROM @user WHERE ID = @begin
SET @sql = 'ALTER LOGIN ' + @usr + ' DISABLE'
EXECUTE(@sql)
SET @begin = @begin + 1
SET @sql = ''
END
DROP TABLE ##Hack