Re: denyhosts-like app for MySQLd?

Jordi Espasa Clofent wrote:
why do you open your mysql port to the world?

if you want to let users in from any place, then an ssh tunnel is safer (yes, works even on windows, using putty or whatever. and a user who finds this difficult shouldn't be able to run sql commands!).

I completely agree with you; the problem is always the same: the decisions are taken by non-technical staff in a lot of times.
I've proposed a ssh tunnels for MySQL remote connections... but it means "so hard" for final customers....

I know it's not easy. but depending on your customers, you may have some chances!
- if they can buy a license for sqlyog, it will support sql tunnels directly (otherwise, you need an external tunnel, which you can setup with putty or whatever).
- it should not be hard to use an ssl tunnel (stunnel or whatever)
- you might be able to ask what IPs are supposed to get there. even if it's not precise, this could reduce risks by only allowing few networks.



If this is too much, at least use a different port to reduce the noise (This won't add security, but will somehow limit exposure).scribe@xxxxxxxxxxx"

Of course.


This is generally consider "security by obscurity". I don't think so. This is making it harder for an attacker to get there without being noticed. while a script kiddie can run his script to try a stand port, if he wants to get inside a "local" port, he'll need to try many ports and for each port try the right protocol. This gives us time to get him.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Wierd RDC problemm
    ... You might look at installing this loopback patch for XP SP2 on PC C. ... In the example shown I am forwarding source port 3391 to ... Using the same setup (putty) with pc C I ... > can connect to the ssh tunnel and do otherthing such as ftp tunneling... ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Wierd RDC problemm
    ... In the example shown I am forwarding source port 3391 to ... >> ssh tunnel just fine with laptop B... ... >> I have xp pro sp2. ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Tunneling over ssh with termination by the FW
    ... I would use something like Putty (ssh client software) to open a secure ... tunnel with the firewall. ... If the firewall has the sshd running on port ...
    (SSH)
  • Re: reverse ssh
    ... > logged into either box) can use the tunnel for whatever connects to it. ... > I suggest you connnect back to your home system's 'sshd' port and then you ... > will have to satisfy the home box's login authorization to get access ... > password from your script. ...
    (freebsd-questions)
  • Re: VNC Through WinSSHD
    ... But you NEED to know the port ... >> number for establishing the tunnel. ... When starting the local vnc viewer, you must enter the "remote" host ... For the remote end of the tunnel you specify either the real name or the ...
    (comp.security.ssh)