MySQL database Brute-force protection

hi,

any one use any tools for MySQL or use MySQL built in tools for brute force protection ?
LVL 1
marrowyungSenior Technical architecture (Data)Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
MySQL automatically denies connections from IP address that don't have at least one matching row in mysql.user.  Port 3306 should not be externally accessible (block via iptables/firewall)
0
Pawan KumarDatabase ExpertCommented:
If you are fine with third party tool then you can also use rdbgaurd.
RdpGuard is a host-based intrusion prevention system (HIPS) that protects your Windows Server from brute-force attacks on various protocols and services (RDP, FTP, SMTP, MySQL, MS-SQL, IIS Web Login, ASP.NET Web Forms, MS Exchange, RD Web Access, etc).

Free trial. We can use the free trial of rdpgaurd and see if it works fine with our requirement.
https://rdpguard.com/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marrowyungSenior Technical architecture (Data)Author Commented:
"If you are fine with third party tool then you can also use rdbgaurd."

but that one is not for linux right ? that one only say MysQL but should only for MySQL on windows, agree ?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Pawan KumarDatabase ExpertCommented:
Yes not for Linux.
0
marrowyungSenior Technical architecture (Data)Author Commented:
then can't use it on MySQL on linux. man.

so this means no.
0
Pawan KumarDatabase ExpertCommented:
Yes you are correct.
0
marrowyungSenior Technical architecture (Data)Author Commented:
I will have this as condition, or I relies on the IP address list from MySQL to prevent this.
0
Tomas Helgi JohannssonCommented:
Hi!

As David says here, then to protect you from brute force attacks you should limit the access to your MySQL/MariaDB to the users specific IP addresses or IP address range (domains) and then protect the host using firewall (iptables/firewalld on Linux) and fail2ban

Here is a simple howto on the setup for MySQL brute-force protection using fail2ban.

Regards,
     Tomas Helgi
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
As David said in his first message, MariaDB/MySQL already build in brute force protection using the GRANT mechanism.

Also, most sites run their LAMP Stack on the same machine, so your Apache + PHP + MariaDB/MySQL all live on the same machine.

If this is the case you can do 100% brute force blocking by adding this to your /etc/mysql/my.cnf (or equivalent).

bind-address       = 127.0.0.1

Open in new window


Also keep in mind, binding to the related unix domain socket... usually...

socket             = /var/run/mysqld/mysqld.sock

Open in new window


Gives double or triple (depending on many factors) the throughput of connecting to 127.0.0.1 or any other IP or domain name.

So be sure you create your users relative to localhost + then make your database connections using localhost, rather than IP or domain name.

Skipping the network stack overhead is way slower than sockets.
0
Prabhin MPEngineer-TechOPSCommented:
Use fail2ban and create custom jails for blocking the brute force attacks . Create threshold level as per your requirements.
Fail2ban is integrated with iptables, so once the attacker reaches the threshold the iptable will block him as per the configuration.
0
marrowyungSenior Technical architecture (Data)Author Commented:
David Favor,

"bind-address       = 127.0.0.1"

this says it receive only local host to connect and we use 'bind-address    = 0.0.0.0  ' to accept all connection.

so you assuming that only web on local machine connect to it, right?


"Also keep in mind, binding to the related unix domain socket... usually..."

but this doesn't related to preventing the attack, right?
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You'd only use 0.0.0.0 if you really have connections from other machines.

If you do have external connections, then you'd use normal GRANTs to control access.

If someone attempts logging in with some number of incorrect logins, you'd use fail2ban to block these IPs for good.

You have to be clear about what you're asking. If you require no external connections, then you use 127.0.0.1 + you have no issue with attacks.

The only way a person can attack a unix domain socket, is if they're already into your machine + at that point there are no blocks... because, if they're in your machine, then they're in + can do anything.
0
marrowyungSenior Technical architecture (Data)Author Commented:
"You'd only use 0.0.0.0 if you really have connections from other machines.
"

exactly, that's why I said you, by this setting, assumes that all web and DB on the same host.

"If you do have external connections, then you'd use normal GRANTs to control access."

MySQL internal permission right ?

"If someone attempts logging in with some number of incorrect logins, you'd use fail2ban to block these IPs for good."

tks.

"You have to be clear about what you're asking. If you require no external connections, then you use 127.0.0.1 + you have no issue with attacks.
"

but this one still need to concern the Brute-force attack on web server but not DB server, right?
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
If you're running a CMS like WordPress where all .php files + database are all on one machine, you'd set 127.0.0.1 so no external connections are allowed. With this configuration, all external (off machine/container) connections are blocked. This means with this config, there's no way for any brute force attacks to begin.

If you enable external/offsite connections by setting 0.0.0.0 or some other IP, then you must use the GRANTs table to allow a given user@IP access to connect. This must be done explicitly. You should never just allow any person from any IP to connect.

If you allow, say root@1.1.1.1 this means only IP 1.1.1.1 could possibly create a brute force attack.

You could use fail2ban in this case. Normally fail2ban would be used if you had 100s or 1000s of remote IPs allows (via explicit GRANTs) to access your database.

Rereading your posts, I think you've confused the meaning of 127.0.0.1 (local only) + 0.0.0.0 (external connections allowed).
0
marrowyungSenior Technical architecture (Data)Author Commented:
"This must be done explicitly. You should never just allow any person from any IP to connect.
"
only web server you mean?

usually we do allow all because of internal DB users.

"This must be done explicitly. You should never just allow any person from any IP to connect."

if I want to allow some IP addresses comes in , how can I set it in my.cnf?
0
marrowyungSenior Technical architecture (Data)Author Commented:
tks all,

administrator, please let me awards other contributor, I can't give them score.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.