Mysql – Preventing brute-force attacks on MySQL

brute-force-attacksMySQL

I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.

How can I stop this from happening?

For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

Does anyone have any other ideas?

If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.

Best Answer

I don't know of any denyhosts-like software packages for MySQL, but I do have a couple of solutions:

Limit login to specific IP addresses. Do not use % to allow for all hosts to connect to the server.
Even more secure, set up iptables to only allow access to 3306 from authorized IP addresses.
Tunnel your traffic to the box with ssh then connect via localhost
Modify the Denyhosts or BFD scripts to analyze mysql access logs and block any brute force attempts at the firewall

Edit:

To answer your comment, try this:

iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024

Where .20 is your MySQL and .50 is the remote connecting IP address.

Best Answer

Related Solutions

SSH – Preventing Brute Force Attacks

Linux – Preventing brute force attacks

Related Topic