1

I have some dynamic content on my website that gets data from a database from a remote MySQL server. I recently rebuilt that server and have seen some strange activity in my logs. I searched a couple of these IPs and they show up as Chinese, and on security forums etc. So I'm assuming someone is trying to brute force my database.

Can anyone suggest how I might tighten my security here? I have read exposing a MySQL database to the net is a security risk, but the data is updated semi regularly on that server and I can't set up replication to my web host in order to keep connections local (and thus closing off my MySQL ports on the remote server).

I have specific users set up for remote access with limited access and strong passwords. Should I be doing anything differently?

IP address '123.108.223.200' could not be resolved: The requested name is valid, but no data of the requested type was found.
IP address '116.255.210.59' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '116.255.210.59' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '180.69.254.133' could not be resolved: No such host is known.
Host name 'WIN-4K2ASOOQOO9' could not be resolved: No such host is known.
Host name 'WIN-4K2ASOOQOO9' could not be resolved: No such host is known.
Hostname '142-118-74-198-dedicated.multacom.com' does not resolve to '198.74.118.142'.
Hostname '142-118-74-198-dedicated.multacom.com' has the following IP addresses:
- 204.13.152.7
IP address '182.84.98.165' could not be resolved: No such host is known.
IP address '207.47.16.69' has been resolved to the host name '207.47.16.69.static.nextweb.net', which resembles IPv4-address itself.
IP address '207.47.16.69' has been resolved to the host name '207.47.16.69.static.nextweb.net', which resembles IPv4-address itself.
IP address '207.47.16.69' has been resolved to the host name '207.47.16.69.static.nextweb.net', which resembles IPv4-address itself.
Host name 'unassigned.psychz.net' could not be resolved: No such host is known.
IP address '112.175.66.51' could not be resolved: No such host is known.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
Host name 'IDC-A4333C3EFF4' could not be resolved: No such host is known.
Host name 'IDC-A4333C3EFF4' could not be resolved: No such host is known.
IP address '173.208.94.206' could not be resolved: No such host is known.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
square_eyes
  • 157
  • 1
  • 3
  • 10

1 Answers1

2

The canonical way to block a specific IP address is via iptables. In CentOS that would be this command:

$ iptables -A INPUT -s 2.4.6.8 -j DROP

Where 2.4.6.8 is the IP address of the server that you which to block.

However, I suggest blocking by default all connections to port 3306 (MySQL) and instead allowing only those addresses that you expect (i.e. a whitelist):

$ iptables -N mysql
$ iptables -A mysql --src 1.2.3.4 -j ACCEPT
$ iptables -A mysql -j DROP
$ iptables -I INPUT -m tcp -p tcp --dport 3306 -j mysql

Where 1.2.3.4 is the IP address of the server you wish to allow.

The above commands were pretty much adapted from this SO answer.

Community
  • 1
dotancohen
  • 2,590
  • 2
  • 25
  • 39
  • Ok thanks. I'm no guru so use Workbench. In Workbench all my users are set to local only except the couple I set up to remote in. Those are limited to the IP of my web server. I'll double check that. But would I continue to see the errors in my log? Id actually prefer to have a replication on my web server (to close the ports on my DB server) but mosts hosts don't make it that easy. – square_eyes Jun 15 '14 at 10:15
  • `iptables` is hit before MySQL, so you won't see the attempted connections in the MySQL log. You can allow your Workbench machine to connect by adding another `ACCEPT` line for its IP address. – dotancohen Jun 15 '14 at 11:09
  • So if this is not part of MySQL, what is it? Or is it like a hosts file that gets parsed before any connection is made? FYI my machine is Windows. Sorry, I'm a little confused still. But I understand the concept. Also how would this be different than say, adding a 'From' IP in my firewall? – square_eyes Jun 15 '14 at 15:24
  • This is _exactly_ adding a 'From' IP in your firewall. – dotancohen Jun 15 '14 at 18:28