From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 00:45:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CA4116A418 for ; Tue, 22 Jan 2008 00:45:17 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from balou.adapsec.com (balou.adapsec.com [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 1C3BB13C467 for ; Tue, 22 Jan 2008 00:45:16 +0000 (UTC) (envelope-from mouss@netoyen.net) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by balou.adapsec.com (Postfix) with ESMTPSA id 732884BFC486 for ; Tue, 22 Jan 2008 01:28:32 +0100 (CET) Message-ID: <47953894.8020906@netoyen.net> Date: Tue, 22 Jan 2008 01:28:04 +0100 From: mouss User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> In-Reply-To: <47946AD3.2020601@opengea.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 00:45:17 -0000 Jordi Espasa Clofent wrote: > Hi all, > > żIs there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. why do you open your mysql port to the world? if you want to let users in from any place, then an ssh tunnel is safer (yes, works even on windows, using putty or whatever. and a user who finds this difficult shouldn't be able to run sql commands!). If this is too much, at least use a different port to reduce the noise (This won't add security, but will somehow limit exposure).