Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Jan 2008 01:28:04 +0100
From:      mouss <mouss@netoyen.net>
To:        freebsd-security@freebsd.org
Subject:   Re: denyhosts-like app for MySQLd?
Message-ID:  <47953894.8020906@netoyen.net>
In-Reply-To: <47946AD3.2020601@opengea.org>
References:  <47946AD3.2020601@opengea.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Jordi Espasa Clofent wrote:
> Hi all,
>
> żIs there any app like denyhosts[1] but intended for MySQLd service?
>
> We have a mysql ports (3306) opened for remote connections, and 
> obviously the /var/db/mysql/machine_name.log is full of these kind of 
> entries:
>
> ...........
> 936012 Connect     Access denied for user 'user'@'85.19.95.10' (using 
> password: YES)
> 936013 Connect     Access denied for user 'user'@'85.19.95.10' (using 
> password: YES)
> 936014 Connect     Access denied for user 'user'@'85.19.95.10' (using 
> password: YES)
> 936016 Connect     Access denied for user 'user'@'85.19.95.10' (using 
> password: YES)
> 936018 Connect     Access denied for user 'user'@'85.19.95.10' (using 
> password: YES)
> 936019 Connect     Access denied for user 'user'@'85.19.95.10' (using 
> password: YES)
> .............
>
> The idea is blocking the abusive IPs in automated way.

why do you open your mysql port to the world?

if you want to let users in from any place, then an ssh tunnel is safer 
(yes, works even on windows, using putty or whatever. and a user who 
finds this difficult shouldn't be able to run sql commands!).


If this is too much, at least use a different port to reduce the noise 
(This won't add security, but will somehow limit exposure).



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47953894.8020906>