From owner-freebsd-security@FreeBSD.ORG Tue Jan 22 03:33:44 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20AD916A419 for ; Tue, 22 Jan 2008 03:33:44 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.freebsd.org (Postfix) with ESMTP id C25E313C455 for ; Tue, 22 Jan 2008 03:33:43 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 5564A387A0C; Tue, 22 Jan 2008 01:24:43 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id 305B63F9B53; Mon, 21 Jan 2008 22:01:17 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 4EF709BF12; Mon, 21 Jan 2008 20:57:22 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 3D82A405B; Mon, 21 Jan 2008 21:57:22 +0100 (CET) Date: Mon, 21 Jan 2008 21:57:22 +0100 From: Jeremie Le Hen To: Jordi Espasa Clofent Message-ID: <20080121205722.GA62295@obiwan.tataz.chchile.org> References: <47946AD3.2020601@opengea.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47946AD3.2020601@opengea.org> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-security@freebsd.org Subject: Re: [fbsd] denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2008 03:33:44 -0000 Hi, On Mon, Jan 21, 2008 at 10:50:11AM +0100, Jordi Espasa Clofent wrote: > We have a mysql ports (3306) opened for remote connections, and obviously > the /var/db/mysql/machine_name.log is full of these kind of entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/ You may have a look at Fail2Ban: http://www.fail2ban.org/wiki/index.php/Features -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >