From: Johan De Meersman Date: September 24 2009 9:01am Subject: Re: REstricting MySQL access to port 3306 List-Archive: http://lists.mysql.com/mysql/218813 Message-Id: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0016e6d9a153854d4e04744f154a --0016e6d9a153854d4e04744f154a Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable The 'recent' module in iptables allows you to automatically block IPs that open more than x connections in y seconds. As long as the ddos doesn't saturate your line, that'll help a lot. On Thu, Sep 24, 2009 at 10:56 AM, Claudio Nanni wr= ote: > ....and in case it is feasible use a custom port to prevent specific > attacks > to mysql. > All clients and application servers will need to connect to the new port. > > Claudio > > > 2009/9/24 Willy > > > Limit connection from trusted host will reduce it. And its better handl= ed > > by firewall . > > > > > > Willy > > Sent from my Sony Ericsson XPERIA=99 X1. > > > > -----Original Message----- > > From: John > > Sent: 24 September 2009 15:07 > > To: 'The Doctor' ; mysql@stripped > > Subject: RE: REstricting MySQL access to port 3306 > > > > I don't think there's anything specific to MySQL but for any system you > > should ensure you have a good well configured firewall set up, make sur= e > > antivirus software is installed and kept up to date, ensure programs on= ly > > run with essential permissions and keep your system up to date with all > the > > latest security patches. This applies to windows AND Linux systems. > > > > You can reduce your exposure to SYN attacks by blocking all incoming > > packets > > from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to > > 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to > > 192.168.255.255 as well as all internal addresses. > > > > Brute force attack exposure can be reduced by setting your router to > ignore > > broadcast addressing and setting your firewall to ignore ICMP requests, > how > > you do this will depend on your router/firewall. You should also block > all > > non-service UDP service requests for your network. Programs that need U= DP > > will still work. > > > > It's also worth making regular visits to a site such as > > http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new > in > > DDOS. Being well informed is half the battle! > > > > Regards > > > > > > > > John Daisley > > MySQL & Cognos Contractor > > > > Certified MySQL 5 Database Administrator (CMDBA) > > Certified MySQL 5 Developer (CMDEV) > > IBM Cognos BI Developer > > > > Telephone +44 (0)7812 451238 > > Email john@stripped > > > > -----Original Message----- > > From: The Doctor [mailto:doctor@stripped] > > Sent: 24 September 2009 07:38 > > To: mysql@stripped > > Subject: REstricting MySQL access to port 3306 > > > > Some months a back I had to firewall port 3306 due to DDoS. > > > > I cannot do this now as a client needs 3306 outside the LAN. > > > > What can I do to prevent DDoS on my MySQL server? > > > > -- > > Member - Liberal International This is doctor@stripped > > Ici doctor@stripped God, Queen and country! Beware Anti-Christ rising= ! > > Never Satan President Republic! > > For the latest World News go to http://www.cuttingedge.org/ > > > > -- > > MySQL General Mailing List > > For list archives: http:/ > > > > [The entire original message is not included] > > > > -- > > MySQL General Mailing List > > For list archives: http://lists.mysql.com/mysql > > To unsubscribe: > > http://lists.mysql.com/mysql?unsub=3Dclaudio.nanni@stripped > > > > > > > -- > Claudio > --=20 That which does not kill you was simply not permitted to do so for the purposes of the plot. --0016e6d9a153854d4e04744f154a--