Preventing brute-force attacks on MySQL?

I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.

How can I stop this from happening?

For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

Does anyone have any other ideas?

If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.


I don't know of any denyhosts-like software packages for MySQL, but I do have a couple of solutions:

  • Limit login to specific IP addresses. Do not use % to allow for all hosts to connect to the server.
  • Even more secure, set up iptables to only allow access to 3306 from authorized IP addresses.
  • Tunnel your traffic to the box with ssh then connect via localhost
  • Modify the Denyhosts or BFD scripts to analyze mysql access logs and block any brute force attempts at the firewall

Edit:

To answer your comment, try this:

iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024

Where .20 is your MySQL and .50 is the remote connecting IP address.


1: Change the port from 3306. Not for reason of better security, but to take the load of the server to deal with false login attacks

2: Create SSL certificate and enable it on your MySQL server (it's a must-have to encrypt your client-server connection anyway)

3: Create one or more client certificates (all clients need to have the certificate and the client-software need to be configured to use it). If your clients is .Net you need to convert the client certificate to the pkcs12 format, but that's easily done, see this guide..

4: Set the MySQL user account's to require x509 client certificate, then an attacker both need the login credentials AND the client certificate (you can even put a password on the client certificate, then the attacker also need to require that too).

I used this guide to make the certificates and key files but there are many guides out there.

I prefer only to use my SSH connection to access my linux box for administration purpose, not for client access.


Using MySQL Proxy, you could write a small LUA script that takes a user/pass combination but waits X seconds to process the login if the connection request comes from an unapproved IP range.

You could furthermore add a bit of extra logic to the LUA script to blacklist IP ranges after three failed attempts.

All in all, it's technically doable, but I'm going with the other recommendations to tunnel via SSH or a VPN to a common, whitelisted (via FW or other means) IP range.