Date: Wed, 23 Jan 2008 22:34:10 +0100 From: Jordi Espasa Clofent <jordi.espasa@opengea.org> To: freebsd-security@freebsd.org Subject: Re: denyhosts-like app for MySQLd? Message-ID: <4797B2D2.3030602@opengea.org> In-Reply-To: <47969F79.30500@netoyen.net> References: <47946AD3.2020601@opengea.org> <47953894.8020906@netoyen.net> <479606E4.2070607@opengea.org> <47969F79.30500@netoyen.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I know it's not easy. but depending on your customers, you may have some > chances! > - if they can buy a license for sqlyog, it will support sql tunnels > directly (otherwise, you need an external tunnel, which you can setup > with putty or whatever). This option is, simply, impossible. We cannot "force" the final customers to adquire any kind of product. > - it should not be hard to use an ssl tunnel (stunnel or whatever) Mmmmm.... it means easier than ssh-tunneling (from customers pint of view). I have to investigate this method carefully. > - you might be able to ask what IPs are supposed to get there. even if > it's not precise, this could reduce risks by only allowing few networks. Yes. We already have done it, but the related problem is a lot of customers don't have static IPs. > This is generally consider "security by obscurity". I don't think so. > This is making it harder for an attacker to get there without being > noticed. while a script kiddie can run his script to try a stand port, > if he wants to get inside a "local" port, he'll need to try many ports > and for each port try the right protocol. This gives us time to get him. ;) -- Thanks, Jordi Espasa Clofent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4797B2D2.3030602>