SQL Brute Force Filter

Hello everyone,
Can someone propose better option for SQL brute force filter? I borrowed some code and created a batch of rules to filter the intruders (mainly Chinese gues) but don’t know if
there is a better way of doing this:

chain=input action=drop src-address-list=SQL_BruteForce log=no log-prefix=“”
chain=forward action=drop src-address-list=SQL_BruteForce log=no log-prefix=“”

;;; SQL Brute Force IP to Lis
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=SQL_stage5 address-list=SQL_BruteForce address-list-timeout=0s dst-port=1433 log=yes log-prefix=“SQL_BF_Add:”
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=SQL_stage4 address-list=SQL_stage5 address-list-timeout=1s dst-port=1433 log=no log-prefix=“”
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=SQL_stage3 address-list=SQL_stage4 address-list-timeout=1s dst-port=1433 log=no log-prefix=“”
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=SQL_stage2 address-list=SQL_stage3 address-list-timeout=1s dst-port=1433 log=no log-prefix=“”
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=SQL_stage1 address-list=SQL_stage2 address-list-timeout=2s dst-port=1433 log=no log-prefix=“”
chain=forward action=add-src-to-address-list connection-state=new protocol=tcp src-address=!192.168.0.0/16 src-address-list=!SQL_Allowed address-list=SQL_stage1 address-list-timeout=2s dst-port=1433 log=no log-prefix=“”

Assume LAN addresses are from 192.168.0.0/16 and a list of allowed IPs can be created named SQL_Allowed

My advice is don’t leave SQL open to the Internet, even if you change the port it’ll still be found and brute force login attempts will continue.

If you need remote access to the SQL server use a vpn