Hi all, ?Is there any app like denyhosts[1] but intended for MySQLd service? We have a mysql ports (3306) opened for remote connections, and obviously the /var/db/mysql/machine_name.log is full of these kind of entries: ........... 936012 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936013 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936014 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936016 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936018 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936019 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) ............. The idea is blocking the abusive IPs in automated way. [1] http://denyhosts.sourceforge.net/ -- Thanks, Jordi Espasa Clofent
> Hi, > > There is a functionality in pf, that allows you to have an application to > update a list of hosts, that is used in a rule. You could have a script > harvest the addresses from your log files, and then update the table in pf. I > have not tried it myself, but was looking at adopting an implementation to > create a tarpit for spammers based on this idea.Yes Tim, I know it. The "problem" is the servers are builded in IPFW as firewall solution. I've tried the "limit" IPFW's option... but isn't exactly what I'm looking for. -- Thanks, Jordi Espasa Clofent
Jordi Espasa Clofent wrote:> ?Is there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/How about ports/security/bruteblock? No OOTB support, but adding it should be very easy. (You just write a config file for it.) -- Tuomo ... All I want is a warm bed, a kind word and unlimited power
Hi, There is a functionality in pf, that allows you to have an application to update a list of hosts, that is used in a rule. You could have a script harvest the addresses from your log files, and then update the table in pf. I have not tried it myself, but was looking at adopting an implementation to create a tarpit for spammers based on this idea. On Monday 21 January 2008 11:50:11 am Jordi Espasa Clofent wrote:> Hi all, > > ?Is there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/
Jordi Espasa Clofent wrote:> Hi all, > > ?Is there any app like denyhosts[1] but intended for MySQLd service? > > We have a mysql ports (3306) opened for remote connections, and > obviously the /var/db/mysql/machine_name.log is full of these kind of > entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way.why do you open your mysql port to the world? if you want to let users in from any place, then an ssh tunnel is safer (yes, works even on windows, using putty or whatever. and a user who finds this difficult shouldn't be able to run sql commands!). If this is too much, at least use a different port to reduce the noise (This won't add security, but will somehow limit exposure).
Hi, On Mon, Jan 21, 2008 at 10:50:11AM +0100, Jordi Espasa Clofent wrote:> We have a mysql ports (3306) opened for remote connections, and obviously > the /var/db/mysql/machine_name.log is full of these kind of entries: > > ........... > 936012 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936013 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936014 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936016 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936018 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > 936019 Connect Access denied for user 'user'@'85.19.95.10' (using > password: YES) > ............. > > The idea is blocking the abusive IPs in automated way. > > [1] http://denyhosts.sourceforge.net/You may have a look at Fail2Ban: http://www.fail2ban.org/wiki/index.php/Features -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >