Re: denyhosts-like app for MySQLd?
Jordi Espasa Clofent wrote:
>> why do you open your mysql port to the world?
>>
>> if you want to let users in from any place, then an ssh tunnel is
>> safer (yes, works even on windows, using putty or whatever. and a
>> user who finds this difficult shouldn't be able to run sql commands!).
>
> I completely agree with you; the problem is always the same: the
> decisions are taken by non-technical staff in a lot of times.
> I've proposed a ssh tunnels for MySQL remote connections... but it
> means "so hard" for final customers....
I know it's not easy. but depending on your customers, you may have some
chances!
- if they can buy a license for sqlyog, it will support sql tunnels
directly (otherwise, you need an external tunnel, which you can setup
with putty or whatever).
- it should not be hard to use an ssl tunnel (stunnel or whatever)
- you might be able to ask what IPs are supposed to get there. even if
it's not precise, this could reduce risks by only allowing few networks.
>
>> If this is too much, at least use a different port to reduce the
>> noise (This won't add security, but will somehow limit
>> exposure).scribe@freebsd.org"
>
> Of course.
>
This is generally consider "security by obscurity". I don't think so.
This is making it harder for an attacker to get there without being
noticed. while a script kiddie can run his script to try a stand port,
if he wants to get inside a "local" port, he'll need to try many ports
and for each port try the right protocol. This gives us time to get him.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 14 之 15 篇):