Preventing brute-force attacks on MySQL?

Solution 1:

I don't know of any denyhosts-like software packages for MySQL, but I do have a couple of solutions:

  • Limit login to specific IP addresses. Do not use % to allow for all hosts to connect to the server.
  • Even more secure, set up iptables to only allow access to 3306 from authorized IP addresses.
  • Tunnel your traffic to the box with ssh then connect via localhost
  • Modify the Denyhosts or BFD scripts to analyze mysql access logs and block any brute force attempts at the firewall

Edit:

To answer your comment, try this:

iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 3306 -d 202.54.1.50 --dport 1024

Where .20 is your MySQL and .50 is the remote connecting IP address.

Solution 2:

1: Change the port from 3306. Not for reason of better security, but to take the load of the server to deal with false login attacks

2: Create SSL certificate and enable it on your MySQL server (it's a must-have to encrypt your client-server connection anyway)

3: Create one or more client certificates (all clients need to have the certificate and the client-software need to be configured to use it). If your clients is .Net you need to convert the client certificate to the pkcs12 format, but that's easily done, see this guide..

4: Set the MySQL user account's to require x509 client certificate, then an attacker both need the login credentials AND the client certificate (you can even put a password on the client certificate, then the attacker also need to require that too).

I used this guide to make the certificates and key files but there are many guides out there.

I prefer only to use my SSH connection to access my linux box for administration purpose, not for client access.