Re: denyhosts-like app for MySQLd?



I know it's not easy. but depending on your customers, you may have some chances!
- if they can buy a license for sqlyog, it will support sql tunnels directly (otherwise, you need an external tunnel, which you can setup with putty or whatever).

This option is, simply, impossible. We cannot "force" the final customers to adquire any kind of product.

- it should not be hard to use an ssl tunnel (stunnel or whatever)

Mmmmm.... it means easier than ssh-tunneling (from customers pint of view). I have to investigate this method carefully.

- you might be able to ask what IPs are supposed to get there. even if it's not precise, this could reduce risks by only allowing few networks.

Yes. We already have done it, but the related problem is a lot of customers don't have static IPs.

This is generally consider "security by obscurity". I don't think so. This is making it harder for an attacker to get there without being noticed. while a script kiddie can run his script to try a stand port, if he wants to get inside a "local" port, he'll need to try many ports and for each port try the right protocol. This gives us time to get him.

;)

--
Thanks,
Jordi Espasa Clofent
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Look what Ive found
    ... > Because this script kiddie is poking SSH ports on machines that are ... So have a look at european law. ... his provider, or his upstream provider. ... It is _perfectly_ legal to check if a port is open, ...
    (comp.os.linux.security)
  • Re: Linksys VOIP Modem 2102 on Tranzeo wireless
    ... For two customers, it's certainly overkill. ... at the cable end needs to be port forwarded. ... Each router will need to be setup with port ... the identical Linksys VoIP boxes, with the same VoIP service provider, ...
    (alt.internet.wireless)
  • RE: open port in iptables for specific lenght of time
    ... open port in iptables for specific lenght of time ... I know it's not exactly the same, but have you ever considered 'port ... We have employees and customers that are on dynamic ...
    (RedHat)
  • RE: Port 608/trojan/spam
    ... "Last week I received spam complaints against 4 different customers, ... The only similarity ... I could find was port 608 open on each user's machine. ... For more information on this free incident handling, ...
    (Incidents)
  • Re: not yet going with verizon and some questions
    ... I filed a complaint with FCC after they refused to port my ... make out the number to call or the name of the VZW manager. ... With 80 million customers they're bound to f--- up the accounts of a few, like yours obviously was, ... Accusing a megacorp of "refusing to port" your number "for spite" assigns to you the type of self-importance that conspiracy therorists and paranoids ...
    (alt.cellular.verizon)