tags:

views:

277

answers:

4

I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.

How can I stop this from happening?

For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

Does anyone have any other ideas?

If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.

A: 

Limit the number of unsuccessful requests a single host can make.

Citizen
Hum... at which level would you introduce this rule? Is this a feature of MySQL ?
mjv
Yeah, where do you do this within MySQL?
Keith Palmer
+3  A: 

Firewall mysql port out. But this belongs to the serverfault realm, I believe.

Michael Krelin - hacker
A: 

I believe changing the port number from the default one (3306) to some other doesn't improve the security but helps in most cases (at least a bit). Have you tried that in practice or only considered?

Grzegorz Oledzki
Only considered, as noted in post. I'm hoping for a better solution to this.
Keith Palmer
+1  A: 

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

The stupid bots are the ones that are constantly bashing themselves aginst your port and they don't look for new ports. Move to a different port and you now only have to worry about people who are trying to hack you, rather than the internet background noise of compromised machines scanning random hosts. This is a great improvement.

If you need to let only a few specific machines through to your database you could consider an SSH tunnel between local ports on the database and client machines. It's fairly rare you really want to open a database port to the public internet.

bobince
A local SSH tunnel sounds like a good idea, plus you can use denyhosts on the tunnel I suppose.
Pascal