Hacks on MySQL port

Discussion in 'Installation/Configuration' started by markc, Apr 9, 2013.

  1. markc

    markc Member

    I've always been a bit uneasy about opening up MySQL to but it seems it's necessary for ISPConfig, especially with multiple servers which I am trying to master, and sure enough I am seeing a lot of brute force password hacking attempts coming from many different IPs (ie; a bot so I can't simply firewall block these attempts) so has anyone got any suggestions how best to manage this situation?

    And/or has any tried using MySQL via local sockets (far more efficient) and perhaps use SSH tunnels to connect remote servers for either direct access or replication?
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    If you open port 3306, you should limit the access with your firewall:

    iptables -I INPUT -s REMOTE_SERVER -p tcp -m tcp --dport 3306 -j ACCEPT
    And make sure, that port 3306 is denied by default. ;)

    Additional i use stunnel to the secure the mysql-connections.
  3. markc

    markc Member

    Cool, thanks for the input. So it looks like stunnel is very similar to using a "normal" SSH tunnel with something like autossh to manage it. Yes, using a local unix socket is magnitudes faster than using an inet socket, even when the inet socket is localhost:3306.

    A question, if you use stunnel for MySQL replication then in what case would you also need to have port 3306 visible to the outside world?
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    If you use stunnel for the replication there is of course no reason to open port 3306. This example was for the case you won´t use stunnel. Anyway, you must (limited) open the port for stunnel.
  5. markc

    markc Member

    Right, okay. If I were to try stunnel or SSH tunnels then I was wondering if there was any need to otherwise open up port 3306 on all interfaces.

    ATM I'm just trying to get a slave ISPConfig server to talk to a master (not specifically for MySQL replication) and for this case I currently need to use open 3306 ports but when I get this to work then I'll try and "bury" the connection via one of the tunnels.

Share This Page