#1  
Old 9th April 2013, 05:40
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 56
Thanks: 6
Thanked 9 Times in 9 Posts
Default Hacks on MySQL port

I've always been a bit uneasy about opening up MySQL to 0.0.0.0 but it seems it's necessary for ISPConfig, especially with multiple servers which I am trying to master, and sure enough I am seeing a lot of brute force password hacking attempts coming from many different IPs (ie; a bot so I can't simply firewall block these attempts) so has anyone got any suggestions how best to manage this situation?

And/or has any tried using MySQL via local sockets (far more efficient) and perhaps use SSH tunnels to connect remote servers for either direct access or replication?
Reply With Quote
Sponsored Links
  #2  
Old 9th April 2013, 07:47
florian030 florian030 is offline
Senior Member
 
Join Date: Oct 2012
Posts: 188
Thanks: 7
Thanked 48 Times in 42 Posts
Default

If you open port 3306, you should limit the access with your firewall:

Code:
iptables -I INPUT -s REMOTE_SERVER -p tcp -m tcp --dport 3306 -j ACCEPT
And make sure, that port 3306 is denied by default.

Additional i use stunnel to the secure the mysql-connections.
__________________
regards
Florian

blog.schaal-24.de
Reply With Quote
The Following User Says Thank You to florian030 For This Useful Post:
markc (9th April 2013)
  #3  
Old 9th April 2013, 08:06
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 56
Thanks: 6
Thanked 9 Times in 9 Posts
Default

Cool, thanks for the input. So it looks like stunnel is very similar to using a "normal" SSH tunnel with something like autossh to manage it. Yes, using a local unix socket is magnitudes faster than using an inet socket, even when the inet socket is localhost:3306.

A question, if you use stunnel for MySQL replication then in what case would you also need to have port 3306 visible to the outside world?
Reply With Quote
  #4  
Old 9th April 2013, 08:26
florian030 florian030 is offline
Senior Member
 
Join Date: Oct 2012
Posts: 188
Thanks: 7
Thanked 48 Times in 42 Posts
Default

If you use stunnel for the replication there is of course no reason to open port 3306. This example was for the case you wont use stunnel. Anyway, you must (limited) open the port for stunnel.
__________________
regards
Florian

blog.schaal-24.de
Reply With Quote
  #5  
Old 9th April 2013, 08:35
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 56
Thanks: 6
Thanked 9 Times in 9 Posts
 
Default

Right, okay. If I were to try stunnel or SSH tunnels then I was wondering if there was any need to otherwise open up port 3306 on all interfaces.

ATM I'm just trying to get a slave ISPConfig server to talk to a master (not specifically for MySQL replication) and for this case I currently need to use open 3306 ports but when I get this to work then I'll try and "bury" the connection via one of the tunnels.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bastille - Open port to one IP (mysql)?? xsas Installation/Configuration 4 17th October 2012 01:50
ISPConfig 3 - MultiServer Setup - With Dedicated Control Panel - How? SuperJC Installation/Configuration 4 16th October 2012 20:03
Add ons for ISPConfig 3 virtue Installation/Configuration 24 16th October 2009 17:30
F8 virtual users and domains with postfix: how to change mysql port? greno HOWTO-Related Questions 1 25th April 2008 16:16
Messed up ISPConfig-2.2.8 Upgrade Morons Installation/Configuration 4 29th November 2006 12:17


All times are GMT +2. The time now is 05:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.