List:General Discussion« Previous MessageNext Message »
From:Johan De Meersman Date:September 24 2009 9:01am
Subject:Re: REstricting MySQL access to port 3306
View as plain text  
The 'recent' module in iptables allows you to automatically block IPs that
open more than x connections in y seconds. As long as the ddos doesn't
saturate your line, that'll help a lot.

On Thu, Sep 24, 2009 at 10:56 AM, Claudio Nanni <claudio.nanni@stripped>wrote:

> ....and in case it is feasible use a custom port to prevent specific
> attacks
> to mysql.
> All clients and application servers will need to connect to the new port.
>
> Claudio
>
>
> 2009/9/24 Willy <sangprabv@stripped>
>
> > Limit connection from trusted host will reduce it. And its better handled
> > by firewall .
> >
> >
> > Willy
> > Sent from my Sony Ericsson XPERIA™ X1.
> >
> > -----Original Message-----
> > From: John <john@stripped>
> > Sent: 24 September 2009 15:07
> > To: 'The Doctor' <doctor@stripped>; mysql@stripped
> > Subject: RE: REstricting MySQL access to port 3306
> >
> > I don't think there's anything specific to MySQL but for any system you
> > should ensure you have a good well configured firewall set up, make sure
> > antivirus software is installed and kept up to date, ensure programs only
> > run with essential permissions and keep your system up to date with all
> the
> > latest security patches. This applies to windows AND Linux systems.
> >
> > You can reduce your exposure to SYN attacks by blocking all incoming
> > packets
> > from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to
> > 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to
> > 192.168.255.255 as well as all internal addresses.
> >
> > Brute force attack exposure can be reduced by setting your router to
> ignore
> > broadcast addressing and setting your firewall to ignore ICMP requests,
> how
> > you do this will depend on your router/firewall. You should also block
> all
> > non-service UDP service requests for your network. Programs that need UDP
> > will still work.
> >
> > It's also worth making regular visits to a site such as
> > http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new
> in
> > DDOS. Being well informed is half the battle!
> >
> > Regards
> >
> >
> >
> > John Daisley
> > MySQL & Cognos Contractor
> >
> > Certified MySQL 5 Database Administrator (CMDBA)
> > Certified MySQL 5 Developer (CMDEV)
> > IBM Cognos BI Developer
> >
> > Telephone +44 (0)7812 451238
> > Email john@stripped
> >
> > -----Original Message-----
> > From: The Doctor [mailto:doctor@stripped]
> > Sent: 24 September 2009 07:38
> > To: mysql@stripped
> > Subject: REstricting MySQL access to port 3306
> >
> > Some months a back I had to firewall port 3306 due to DDoS.
> >
> > I cannot do this now as a client needs 3306 outside the LAN.
> >
> > What can I do to prevent DDoS on my MySQL server?
> >
> > --
> > Member - Liberal International  This is doctor@stripped
> > Ici doctor@stripped God, Queen and country! Beware Anti-Christ rising!
> > Never Satan President Republic!
> > For the latest World News go to http://www.cuttingedge.org/
> >
> > --
> > MySQL General Mailing List
> > For list archives: http:/
> >
> > [The entire original message is not included]
> >
> > --
> > MySQL General Mailing List
> > For list archives: http://lists.mysql.com/mysql
> > To unsubscribe:
> > http://lists.mysql.com/mysql?unsub=1
> >
> >
>
>
> --
> Claudio
>



-- 
That which does not kill you was simply not permitted to do so for the
purposes of the plot.

Thread
REstricting MySQL access to port 3306The Doctor24 Sep
  • RE: REstricting MySQL access to port 3306John24 Sep
    • Re: REstricting MySQL access to port 3306muhammad subair24 Sep
RE: REstricting MySQL access to port 3306Willy24 Sep
  • Re: REstricting MySQL access to port 3306Claudio Nanni24 Sep
    • Re: REstricting MySQL access to port 3306Johan De Meersman24 Sep