From owner-freebsd-security@FreeBSD.ORG Wed Jan 23 21:34:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 014BF16A417 for ; Wed, 23 Jan 2008 21:34:08 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (mail.opengea.org [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id A69D013C4DD for ; Wed, 23 Jan 2008 21:34:07 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id E6940D50044 for ; Wed, 23 Jan 2008 22:32:06 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UBeUwEqF0nAB for ; Wed, 23 Jan 2008 22:32:06 +0100 (CET) Received: from [192.168.1.33] (46.Red-83-33-37.dynamicIP.rima-tde.net [83.33.37.46]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 67C34D50035 for ; Wed, 23 Jan 2008 22:32:06 +0100 (CET) Message-ID: <4797B2D2.3030602@opengea.org> Date: Wed, 23 Jan 2008 22:34:10 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47946AD3.2020601@opengea.org> <47953894.8020906@netoyen.net> <479606E4.2070607@opengea.org> <47969F79.30500@netoyen.net> In-Reply-To: <47969F79.30500@netoyen.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: denyhosts-like app for MySQLd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 21:34:08 -0000 > I know it's not easy. but depending on your customers, you may have some > chances! > - if they can buy a license for sqlyog, it will support sql tunnels > directly (otherwise, you need an external tunnel, which you can setup > with putty or whatever). This option is, simply, impossible. We cannot "force" the final customers to adquire any kind of product. > - it should not be hard to use an ssl tunnel (stunnel or whatever) Mmmmm.... it means easier than ssh-tunneling (from customers pint of view). I have to investigate this method carefully. > - you might be able to ask what IPs are supposed to get there. even if > it's not precise, this could reduce risks by only allowing few networks. Yes. We already have done it, but the related problem is a lot of customers don't have static IPs. > This is generally consider "security by obscurity". I don't think so. > This is making it harder for an attacker to get there without being > noticed. while a script kiddie can run his script to try a stand port, > if he wants to get inside a "local" port, he'll need to try many ports > and for each port try the right protocol. This gives us time to get him. ;) -- Thanks, Jordi Espasa Clofent