Preventing brute-force attacks on MySQL?

mysql brute-force-attacks
7,956

Solution 1

I don't know of any denyhosts-like software packages for MySQL, but I do have a couple of solutions:

  • Limit login to specific IP addresses. Do not use % to allow for all hosts to connect to the server.
  • Even more secure, set up iptables to only allow access to 3306 from authorized IP addresses.
  • Tunnel your traffic to the box with ssh then connect via localhost
  • Modify the Denyhosts or BFD scripts to analyze mysql access logs and block any brute force attempts at the firewall

Edit:

To answer your comment, try this:

iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024

Where .20 is your MySQL and .50 is the remote connecting IP address.

Solution 2

1: Change the port from 3306. Not for reason of better security, but to take the load of the server to deal with false login attacks

2: Create SSL certificate and enable it on your MySQL server (it's a must-have to encrypt your client-server connection anyway)

3: Create one or more client certificates (all clients need to have the certificate and the client-software need to be configured to use it). If your clients is .Net you need to convert the client certificate to the pkcs12 format, but that's easily done, see this guide..

4: Set the MySQL user account's to require x509 client certificate, then an attacker both need the login credentials AND the client certificate (you can even put a password on the client certificate, then the attacker also need to require that too).

I used this guide to make the certificates and key files but there are many guides out there.

I prefer only to use my SSH connection to access my linux box for administration purpose, not for client access.

Solution 3

Using MySQL Proxy, you could write a small LUA script that takes a user/pass combination but waits X seconds to process the login if the connection request comes from an unapproved IP range.

You could furthermore add a bit of extra logic to the LUA script to blacklist IP ranges after three failed attempts.

All in all, it's technically doable, but I'm going with the other recommendations to tunnel via SSH or a VPN to a common, whitelisted (via FW or other means) IP range.

Share:
7,956

Related videos on Youtube

Keith Palmer Jr.
Author by

Keith Palmer Jr.

Updated on September 17, 2022

Comments

  • Keith Palmer Jr.
    Keith Palmer Jr. almost 2 years

    I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.

    How can I stop this from happening?

    For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?

    I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

    Does anyone have any other ideas?

    If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.

  • Keith Palmer Jr.
    Keith Palmer Jr. almost 15 years
    I considered this, but that means I'd have to monitor IP address changes for like 1,000+ clients. That would be a gigantic pain in the butt... How can I do this anyway? It doesn't help to lock them out within MySQL, because they can still connect to the MySQL server, just not actually choose any databases...
  • quaie
    quaie almost 15 years
    quoting dave drager above: "Modify the Denyhosts or BFD scripts to analyze mysql access logs and block any brute force attempts at the firewall" seems the best idea or use some hierogliphic passwords :)
  • Keith Palmer Jr.
    Keith Palmer Jr. almost 15 years
    A few notes: How can I restrict access to port 3306 to only a given set of IP addresses? Just restricting the MySQL users does not work, as remote machines can then still connect and brute-force for passwords. SSH tunnels seem somewhat inconvienent to set up for the end-user... Do you have an IPTables example of doing this?
  • Andy
    Andy almost 15 years
    +1 yet another use for MySQL Proxy :)
  • thepocketwade
    thepocketwade almost 15 years
    -1 for security by obscurity
  • Eric Petroelje
    Eric Petroelje almost 15 years
    @thepocketwade - Which is why I said it's not a real solution to the problem. But it could still be helpful.
  • ofri cofri
    ofri cofri about 4 years
    Thanks for the answer. I used this guide to do #2, 3 and 4: digitalocean.com/community/tutorials/…
  • Guille
    Guille over 3 years
    The max_connect_errors option in MySQL config file will not work. See mysqlblog.fivefarmers.com/2013/08/08/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Too many TIME_WAIT connections on mysql from an outside host
MySQL root password setup error
Flutter mysql1 got packets out of order
Flutter/Dart Extract just the Date and Time?
Flutter/MySQL: How to pass URLs from mysql database to PageView/ImageSlider Widget?
Flutter :setState() or markNeedsBuild() called during build
How create a class object from JSON inside a Future function in dart?
How to connect my Flutter App to my Java WebApp?
Why my data from MySql Database are not showing in the application?
How to make a mysql realtime database with flutter?