Jordi Espasa Clofent wrote:
why do you open your mysql port to the world?
if you want to let users in from any place, then an ssh tunnel is
safer (yes, works even on windows, using putty or whatever. and a
user who finds this difficult shouldn't be able to run sql commands!).
I completely agree with you; the problem is always the same: the
decisions are taken by non-technical staff in a lot of times.
I've proposed a ssh tunnels for MySQL remote connections... but it
means "so hard" for final customers....
I know it's not easy. but depending on your customers, you may have some
chances!
- if they can buy a license for sqlyog, it will support sql tunnels
directly (otherwise, you need an external tunnel, which you can setup
with putty or whatever).
- it should not be hard to use an ssl tunnel (stunnel or whatever)
- you might be able to ask what IPs are supposed to get there. even if
it's not precise, this could reduce risks by only allowing few networks.
If this is too much, at least use a different port to reduce the
noise (This won't add security, but will somehow limit
exposure)[EMAIL PROTECTED]"
Of course.
This is generally consider "security by obscurity". I don't think so.
This is making it harder for an attacker to get there without being
noticed. while a script kiddie can run his script to try a stand port,
if he wants to get inside a "local" port, he'll need to try many ports
and for each port try the right protocol. This gives us time to get him.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
