REstricting MySQL access to port 3306

Some months a back I had to firewall port 3306 due to DDoS.

I cannot do this now as a client needs 3306 outside the LAN.

What can I do to prevent DDoS on my MySQL server?

--
Member - Liberal International This is doctor@nl2k.ab.ca
Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
For the latest World News go to http://www.cuttingedge.org/

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

RE: REstricting MySQL access to port 3306

I don't think there's anything specific to MySQL but for any system you
should ensure you have a good well configured firewall set up, make sure
antivirus software is installed and kept up to date, ensure programs only
run with essential permissions and keep your system up to date with all the
latest security patches. This applies to windows AND Linux systems.

You can reduce your exposure to SYN attacks by blocking all incoming packets
from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to
127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to
192.168.255.255 as well as all internal addresses.

Brute force attack exposure can be reduced by setting your router to ignore
broadcast addressing and setting your firewall to ignore ICMP requests, how
you do this will depend on your router/firewall. You should also block all
non-service UDP service requests for your network. Programs that need UDP
will still work.

It's also worth making regular visits to a site such as
http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new in
DDOS. Being well informed is half the battle!

Regards



John Daisley
MySQL & Cognos Contractor

Certified MySQL 5 Database Administrator (CMDBA)
Certified MySQL 5 Developer (CMDEV)
IBM Cognos BI Developer

Telephone +44 (0)7812 451238
Email john@butterflysystems.co.uk

-----Original Message-----
From: The Doctor [mailto:doctor@doctor.nl2k.ab.ca]
Sent: 24 September 2009 07:38
To: mysql@lists.mysql.com
Subject: REstricting MySQL access to port 3306

Some months a back I had to firewall port 3306 due to DDoS.

I cannot do this now as a client needs 3306 outside the LAN.

What can I do to prevent DDoS on my MySQL server?

--
Member - Liberal International This is doctor@nl2k.ab.ca
Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
For the latest World News go to http://www.cuttingedge.org/

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:
http://lists.mysql.com/mysql?unsub=john.daisley@butterflysys tems.co.uk

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/23/09
05:52:00


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: REstricting MySQL access to port 3306

--000e0cd4d1b07febd004744e7998
Content-Type: text/plain; charset=ISO-8859-1

If just view people can access MySQL in port 3306 you can set in firewall to
not accessible from all host except the host which you list.

If very wide people need the MySQL, like in hosting provider, I think you
can use application which make people can manage MySQL via server such as
PHPMyAdmin, and you can close MySQL to access from outside the LAN.

cmiiw.

On Thu, Sep 24, 2009 at 3:07 PM, John wrote:

> I don't think there's anything specific to MySQL but for any system you
> should ensure you have a good well configured firewall set up, make sure
> antivirus software is installed and kept up to date, ensure programs only
> run with essential permissions and keep your system up to date with all the
> latest security patches. This applies to windows AND Linux systems.
>
> You can reduce your exposure to SYN attacks by blocking all incoming
> packets
> from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to
> 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to
> 192.168.255.255 as well as all internal addresses.
>
> Brute force attack exposure can be reduced by setting your router to ignore
> broadcast addressing and setting your firewall to ignore ICMP requests, how
> you do this will depend on your router/firewall. You should also block all
> non-service UDP service requests for your network. Programs that need UDP
> will still work.
>
> It's also worth making regular visits to a site such as
> http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new in
> DDOS. Being well informed is half the battle!
>
> Regards
>
>
>
> John Daisley
> MySQL & Cognos Contractor
>
> Certified MySQL 5 Database Administrator (CMDBA)
> Certified MySQL 5 Developer (CMDEV)
> IBM Cognos BI Developer
>
> Telephone +44 (0)7812 451238
> Email john@butterflysystems.co.uk
>
> -----Original Message-----
> From: The Doctor [mailto:doctor@doctor.nl2k.ab.ca]
> Sent: 24 September 2009 07:38
> To: mysql@lists.mysql.com
> Subject: REstricting MySQL access to port 3306
>
> Some months a back I had to firewall port 3306 due to DDoS.
>
> I cannot do this now as a client needs 3306 outside the LAN.
>
> What can I do to prevent DDoS on my MySQL server?
>
> --
> Member - Liberal International This is doctor@nl2k.ab.ca
> Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
> Never Satan President Republic!
> For the latest World News go to http://www.cuttingedge.org/
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:
> http://lists.mysql.com/mysql?unsub=john.daisley@butterflysys tems.co.uk
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/23/09
> 05:52:00
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=msubair@gmail.com
>
>


--
Muhammad Subair

--000e0cd4d1b07febd004744e7998--

RE: REstricting MySQL access to port 3306

Limit connection from trusted host will reduce it. And its better handled b=
y firewall .


Willy
Sent from my Sony Ericsson XPERIA=99 X1.

-----Original Message-----
From: John
Sent: 24 September 2009 15:07
To: 'The Doctor' ; mysql@lists.mysql.com
Subject: RE: REstricting MySQL access to port 3306

I don't think there's anything specific to MySQL but for any system you
should ensure you have a good well configured firewall set up, make sure
antivirus software is installed and kept up to date, ensure programs only
run with essential permissions and keep your system up to date with all the
latest security patches. This applies to windows AND Linux systems.

You can reduce your exposure to SYN attacks by blocking all incoming packet=
s
from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to
127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to
192.168.255.255 as well as all internal addresses.

Brute force attack exposure can be reduced by setting your router to ignore
broadcast addressing and setting your firewall to ignore ICMP requests, how
you do this will depend on your router/firewall. You should also block all
non-service UDP service requests for your network. Programs that need UDP
will still work.=20

It's also worth making regular visits to a site such as
http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new in
DDOS. Being well informed is half the battle!

Regards



John Daisley
MySQL & Cognos Contractor

Certified MySQL 5 Database Administrator (CMDBA)
Certified MySQL 5 Developer (CMDEV)
IBM Cognos BI Developer

Telephone +44 (0)7812 451238
Email john@butterflysystems.co.uk

-----Original Message-----
From: The Doctor [mailto:doctor@doctor.nl2k.ab.ca]=20
Sent: 24 September 2009 07:38
To: mysql@lists.mysql.com
Subject: REstricting MySQL access to port 3306

Some months a back I had to firewall port 3306 due to DDoS.

I cannot do this now as a client needs 3306 outside the LAN.

What can I do to prevent DDoS on my MySQL server?

--=20
Member - Liberal International This is doctor@nl2k.ab.ca
Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
For the latest World News go to http://www.cuttingedge.org/

--=20
MySQL General Mailing List
For list archives: http:/

[The entire original message is not included]=


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: REstricting MySQL access to port 3306

--0014853198dace337d04744f0117
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

.....and in case it is feasible use a custom port to prevent specific attack=
s
to mysql.
All clients and application servers will need to connect to the new port.

Claudio


2009/9/24 Willy

> Limit connection from trusted host will reduce it. And its better handled
> by firewall .
>
>
> Willy
> Sent from my Sony Ericsson XPERIA=99 X1.
>
> -----Original Message-----
> From: John
> Sent: 24 September 2009 15:07
> To: 'The Doctor' ; mysql@lists.mysql.com
> Subject: RE: REstricting MySQL access to port 3306
>
> I don't think there's anything specific to MySQL but for any system you
> should ensure you have a good well configured firewall set up, make sure
> antivirus software is installed and kept up to date, ensure programs only
> run with essential permissions and keep your system up to date with all t=
he
> latest security patches. This applies to windows AND Linux systems.
>
> You can reduce your exposure to SYN attacks by blocking all incoming
> packets
> from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to
> 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to
> 192.168.255.255 as well as all internal addresses.
>
> Brute force attack exposure can be reduced by setting your router to igno=
re
> broadcast addressing and setting your firewall to ignore ICMP requests, h=
ow
> you do this will depend on your router/firewall. You should also block al=
l
> non-service UDP service requests for your network. Programs that need UDP
> will still work.
>
> It's also worth making regular visits to a site such as
> http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new in
> DDOS. Being well informed is half the battle!
>
> Regards
>
>
>
> John Daisley
> MySQL & Cognos Contractor
>
> Certified MySQL 5 Database Administrator (CMDBA)
> Certified MySQL 5 Developer (CMDEV)
> IBM Cognos BI Developer
>
> Telephone +44 (0)7812 451238
> Email john@butterflysystems.co.uk
>
> -----Original Message-----
> From: The Doctor [mailto:doctor@doctor.nl2k.ab.ca]
> Sent: 24 September 2009 07:38
> To: mysql@lists.mysql.com
> Subject: REstricting MySQL access to port 3306
>
> Some months a back I had to firewall port 3306 due to DDoS.
>
> I cannot do this now as a client needs 3306 outside the LAN.
>
> What can I do to prevent DDoS on my MySQL server?
>
> --
> Member - Liberal International This is doctor@nl2k.ab.ca
> Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
> Never Satan President Republic!
> For the latest World News go to http://www.cuttingedge.org/
>
> --
> MySQL General Mailing List
> For list archives: http:/
>
> [The entire original message is not included]
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:
> http://lists.mysql.com/mysql?unsub=3Dclaudio.nanni@gmail.com
>
>


--=20
Claudio

--0014853198dace337d04744f0117--

Re: REstricting MySQL access to port 3306

--0016e6d9a153854d4e04744f154a
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

The 'recent' module in iptables allows you to automatically block IPs that
open more than x connections in y seconds. As long as the ddos doesn't
saturate your line, that'll help a lot.

On Thu, Sep 24, 2009 at 10:56 AM, Claudio Nanni wr=
ote:

> ....and in case it is feasible use a custom port to prevent specific
> attacks
> to mysql.
> All clients and application servers will need to connect to the new port.
>
> Claudio
>
>
> 2009/9/24 Willy
>
> > Limit connection from trusted host will reduce it. And its better handl=
ed
> > by firewall .
> >
> >
> > Willy
> > Sent from my Sony Ericsson XPERIA=99 X1.
> >
> > -----Original Message-----
> > From: John
> > Sent: 24 September 2009 15:07
> > To: 'The Doctor' ; mysql@lists.mysql.com
> > Subject: RE: REstricting MySQL access to port 3306
> >
> > I don't think there's anything specific to MySQL but for any system you
> > should ensure you have a good well configured firewall set up, make sur=
e
> > antivirus software is installed and kept up to date, ensure programs on=
ly
> > run with essential permissions and keep your system up to date with all
> the
> > latest security patches. This applies to windows AND Linux systems.
> >
> > You can reduce your exposure to SYN attacks by blocking all incoming
> > packets
> > from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to
> > 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to
> > 192.168.255.255 as well as all internal addresses.
> >
> > Brute force attack exposure can be reduced by setting your router to
> ignore
> > broadcast addressing and setting your firewall to ignore ICMP requests,
> how
> > you do this will depend on your router/firewall. You should also block
> all
> > non-service UDP service requests for your network. Programs that need U=
DP
> > will still work.
> >
> > It's also worth making regular visits to a site such as
> > http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new
> in
> > DDOS. Being well informed is half the battle!
> >
> > Regards
> >
> >
> >
> > John Daisley
> > MySQL & Cognos Contractor
> >
> > Certified MySQL 5 Database Administrator (CMDBA)
> > Certified MySQL 5 Developer (CMDEV)
> > IBM Cognos BI Developer
> >
> > Telephone +44 (0)7812 451238
> > Email john@butterflysystems.co.uk
> >
> > -----Original Message-----
> > From: The Doctor [mailto:doctor@doctor.nl2k.ab.ca]
> > Sent: 24 September 2009 07:38
> > To: mysql@lists.mysql.com
> > Subject: REstricting MySQL access to port 3306
> >
> > Some months a back I had to firewall port 3306 due to DDoS.
> >
> > I cannot do this now as a client needs 3306 outside the LAN.
> >
> > What can I do to prevent DDoS on my MySQL server?
> >
> > --
> > Member - Liberal International This is doctor@nl2k.ab.ca
> > Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising=
!
> > Never Satan President Republic!
> > For the latest World News go to http://www.cuttingedge.org/
> >
> > --
> > MySQL General Mailing List
> > For list archives: http:/
> >
> > [The entire original message is not included]
> >
> > --
> > MySQL General Mailing List
> > For list archives: http://lists.mysql.com/mysql
> > To unsubscribe:
> > http://lists.mysql.com/mysql?unsub=3Dclaudio.nanni@gmail.com
> >
> >
>
>
> --
> Claudio
>



--=20
That which does not kill you was simply not permitted to do so for the
purposes of the plot.

--0016e6d9a153854d4e04744f154a--