From owner-freebsd-security@FreeBSD.ORG Mon Jan 21 10:50:44 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A954416A420 for ; Mon, 21 Jan 2008 10:50:44 +0000 (UTC) (envelope-from tim@priebe.alt.na) Received: from pinnacle-networks.com (mx1.pinnacle-networks.com [196.44.153.3]) by mx1.freebsd.org (Postfix) with ESMTP id C637A13C500 for ; Mon, 21 Jan 2008 10:50:43 +0000 (UTC) (envelope-from tim@priebe.alt.na) Received: from [196.216.45.66] by pinnacle-networks.com with esmtp (Exim 4.67 (FreeBSD)) (envelope-from ) id 1JGtvN-000FP7-PD; Mon, 21 Jan 2008 12:30:48 +0200 From: Tim Priebe To: freebsd-security@freebsd.org Date: Mon, 21 Jan 2008 12:26:51 +0200 User-Agent: KMail/1.9.7 References: <47946AD3.2020601@opengea.org> In-Reply-To: <47946AD3.2020601@opengea.org> X-disclaimer: this is a test MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200801211226.51852.tim@priebe.alt.na> X-Mailman-Approved-At: Mon, 21 Jan 2008 12:49:49 +0000 Cc: Jordi Espasa Clofent Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2008 10:50:44 -0000 Hi, There is a functionality in pf, that allows you to have an application to=20 update a list of hosts, that is used in a rule. You could have a script=20 harvest the addresses from your log files, and then update the table in pf.= I=20 have not tried it myself, but was looking at adopting an implementation to= =20 create a tarpit for spammers based on this idea. On Monday 21 January 2008 11:50:11 am Jordi Espasa Clofent wrote: > Hi all, > > =BFIs there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/