tags:

views:

277

answers:

4
Q: 

Preventing brute-force attacks on MySQL?

I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.

How can I stop this from happening?

For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

Does anyone have any other ideas?

If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.

A: 

Limit the number of unsuccessful requests a single host can make.

Citizen  2009-09-22 19:24:13
Hum... at which level would you introduce this rule? Is this a feature of MySQL ?
mjv  2009-09-22 19:31:10
Yeah, where do you do this within MySQL?
Keith Palmer  2009-09-22 19:48:07
+3  A: 

Firewall mysql port out. But this belongs to the serverfault realm, I believe.

Michael Krelin - hacker  2009-09-22 19:26:05
A: 

I believe changing the port number from the default one (3306) to some other doesn't improve the security but helps in most cases (at least a bit). Have you tried that in practice or only considered?

Grzegorz Oledzki  2009-09-22 19:26:34
Only considered, as noted in post. I'm hoping for a better solution to this.
Keith Palmer  2009-09-22 19:52:15
+1  A: 

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

The stupid bots are the ones that are constantly bashing themselves aginst your port and they don't look for new ports. Move to a different port and you now only have to worry about people who are trying to hack you, rather than the internet background noise of compromised machines scanning random hosts. This is a great improvement.

If you need to let only a few specific machines through to your database you could consider an SSH tunnel between local ports on the database and client machines. It's fairly rare you really want to open a database port to the public internet.

bobince  2009-09-22 19:58:10
A local SSH tunnel sounds like a good idea, plus you can use denyhosts on the tunnel I suppose.
Pascal  2009-11-04 12:49:01

related questions

PHP: Anti-Flood/Spam system
Creating every possible value of a fixed size array
How to obtain all the subgraphs from a graph?
Prolog - PCP solver
Securing private keys against brute force attacks on mobile devices
Need help with brute force code for crypt(3)
Brute-force/DoS prevention in PHP
Moving to specific record within a DataTable
Is the password weak under dictionary attack
Calculate brute force size dynamically?
Is there non-linear difference between strong (i.e. AES) and non-strong (i.e. classic zip) encryption
Fastest way to bruteforce a string using a DOS wildcard
Could validationKey and decryptionKey be found by brute force from encrypted cookie value?
Does Apache basic authentication defend brute force attacks?
Finding a legacy firebird/Interbase database password
Limiting user login attempts in PHP
How would I go about implementing this algorithm?
What is the best Distributed Brute Force countermeasure?
Best practice against password-list-attacks with webapplications
Preventing Brute Force Logins on Websites
Is a preference for brute force solutions a bad sign?
Brute force , Need help
The necessity of hiding the salt for a hash
What are some practical problems that parallel computing, f#, and GPU-parallel processing might solve.