2

I need to know more about MySQL brute force attacks. I see MySQL brute force attacks on our Linux server, however none of the machines are compromised yet.

From this link, I figured out if am getting the garbage characters, while using telnet command from another remote machine, it means port 3306 is open to the outside world. I figured out from this link that if I modify /etc/my.cnf to include skip-networking, it will block all the outside connections to the port 3306.

My question is,

I have a program running which connects to the MySQL server (in which I am getting the brute force attacks) using a certain username and password (The username is not root). If I include the above line (skip-networking) in my.cnf file, will it affect my current running program?

Community
  • 1
  • 1
Ramesh
  • 765
  • 7
  • 24
  • 52
  • That obviously depends on whether your program contacts the mysql server via network or not. – arkascha Aug 26 '13 at 20:44
  • 4
    First thing you should do is lock down the access to the server by a firewall. Allow only traffic from those networks / addresses absolutely required for your work. Block everything else. – arkascha Aug 26 '13 at 20:44
  • You need a properly configured firewall to isolate your internal services from hostile parties. – SLaks Aug 26 '13 at 20:45
  • How do I lock the access to the server using firewall? Is it adding the command "Skip-networking" in /etc/my.cnf file? – Ramesh Aug 26 '13 at 20:48
  • I am new to this networking concepts. My program is running from another machine which is also in the same network (I am using my university network). – Ramesh Aug 26 '13 at 20:51

2 Answers2

5

Rule #1: NEVER leave your MySQL port flapping in the breeze. There have been bugs in MySQL that have nullified the security layer and allowed arbitrary remote code execution.

You absolutely must lock down 3306 to be open only to the smallest possible list of IPs, and even then you're still going to have to be careful. By default MySQL does not encrypt these connections, so it's theoretically possible to scrape authentication information from here.

The better way to do this is for each machine that requires access to your database to set up a simple SSH tunnel that bridges remote machines to the local MySQL port.

skip-networking has the effect of binding to 127.0.0.1 (localhost) meaning it won't accept external connections. This is safer, but without a strict set of firewall rules you're still living dangerously.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • Are you able to link to some details on how the SSH tunnel works in practice? I have used SSH on the command line but no idea where to start in using SSH to communicate with the mysql machine. I mean does the machine querying the sql (Computer A) SSH to the server running mysql (Computer B) and now A can query the SQL database on 127.0.0.1:3306 or something? – sradforth Jun 01 '16 at 10:04
  • @sradforth Precisely. Look up "SSH port forwarding" or search on [Superuser](http://superuser.com). – tadman Jun 01 '16 at 16:32
3

So like the comments said you need to configure a firewall. Editing your my.cnf file is not the same as a firewall.

The skip-networking option basically does the following: Don’t listen for TCP/IP connections at all. All interaction with mysqld must be made via Unix sockets. This option is highly recommended for systems where only local requests are allowed. Since you need to allow remote connection this line should be removed from my.cnf or put it in comment state.

Go install a firewall and ensure that only your machine can connect to the MySQL database. Here is a list of recommended firewalls.

Namphibian
  • 12,046
  • 7
  • 46
  • 76