3

I have just reviewed my syslog file and notice a TON of entries of the following:

Aug 25 13:06:17 ssrv001 mysqld: 150825 13:06:17 [Warning] Access denied for user 'root'@'61.160.232.48' (using password: YES)

The ip is malicious as no one but myself has root access to this server. I will be removing remote access for the root mysqld user, however will this be enough to thwart this type of thing from happening?

I was also thinking about implementing something that will dissallow connections from ip addresses who have made invalid requests multiple times.

EEAA
  • 108,414
  • 18
  • 172
  • 242
nullReference
  • 263
  • 1
  • 3
  • 10
  • 9
    Do you really need to have your database open for the whole world to connect to it? – Michael Hampton Aug 25 '15 at 19:46
  • Well...yes...and no. I use a remote client to administrate databases on this server and as I am behind a dynamic ip i cannot specify a strict ip for my user account. Root can most certainly be set to localhost only since I can ssh in to make changes that require root access. – nullReference Aug 25 '15 at 20:14
  • I can't comment on the database configuration, but the IP you list is of Chinese origin. Constant probling from the Chinese IP block is a very familiar event for anyone that hosts an edge device with some kind of open port/login field. Google "[your firewall] block chinese IP range" and you will usually find a pre-defined rule set that you can just plug in and use. Leaving your database server open to the general internet is probably not a great idea from a security point of view but you will see far less of these kinds of probes with China blocked. – Patrick Aug 26 '15 at 08:27
  • 1
    @nullReference if you have a dynamic IP you can at least ask your (crappy) ISP to give you their IP ranges and only allow these ranges in the firewall. Any customer from that ISP could still try to break into your server but at least you'll be safe from the chinese. – André Borie Aug 26 '15 at 11:37
  • Should this be asked on Information Security SE – an earwig Aug 26 '15 at 12:10

3 Answers3

9

First of all, I will recommend you to allow login as root to mysql only from localhost. If you have to connect to mysql from another server - create new user and grant only needed permissions to it.

Also, you can use fail2ban or similar to add hackers IPs to black-list after a number of failed connection attempts.

And lastly, you may change your mysql port to avoid dumb brute-force attacks.

Learn more about securing your MySQL dbs on linux here: How To Secure MySQL and MariaDB Databases in a Linux VPS

UPDATE: I forgot that MySQL have its own tools to block IPs after failed login attempts. You can use this in your mysql config file:

max_connect_errors = 5;

But by default, mysqld blocks a host after 10 connection errors.

Read more about it here: Server System Variables #sysvar_max_connect_errors and here: Host 'host_name' is blocked

Maxim Mazurok
  • 240
  • 2
  • 7
6

I am with Maxim and knowhy, allow login as root to MySQL only from localhost. I would go even further allowing login for localhost or specific ips for all users.

Something you can do to connect to your remote MySQL server as a local user is ssh tunneling.

Something like this Should work for UNIX systems:

ssh -fNg -L 9999:127.0.0.1:3306 user@yourhost.com

This will enable the client port 9999 as a "tunnel" to remote yourhost.com:3306 port.

For Windows systems, maybe Putty should do the trick. Take a look at this:

http://www.ytechie.com/2008/05/set-up-a-windows-ssh-tunnel-in-10-minutes-or-less/

Most of the current MySQL graphical clients, allows tunneled connections, MySQL Workbench for example, works great:

https://www.mysql.com/products/workbench/

ajerez
  • 61
  • 2
3

You should block mysql with your iptables. This snippet will block mysql from any host other than localhost:

iptables -A INPUT -i lo -p tcp --dport mysql -j ACCEPT
iptables -A INPUT -p tcp --dport mysql -j DROP

Be aware that these settings in your iptables wont be persistent. Depending on your distribution you should edit your iptables configuration. For Redhat6 based systems you should edit /etc/sysconfig/iptables for example.

You should also disable remote root login in mysql with the following sql queries:

DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');

You could also think about implementing fail2ban to block IPs with too many failed logins. This serverfault question should help you with that.

Community
  • 1
Henrik Pingel
  • 8,676
  • 2
  • 24
  • 38