Gary Huntress wrote:
>
> My firewall has denied and logged several of the following messages:
>
> Packet log: input DENY eth0 PROTO=6 192.168.0.1:37656 66.31.176.185:3306
> L=40 S=0x00 I=26581 F=0x0000 T=39 (#2)
>
> As you can see, it is a spoofed IP trying to connect to the mysql port.
> I've looked around at basic security sites (sans.org, whitehats.com) and
> haven't found any documentation of specific exploits against MySQL.
>
> My questions are 1) do others typically see this? 2) what do you do? (my
> guess is, not much) 3) Are there other security measures I should be
> taking? and finally 4) are there any documented MySQL exploits? (buffer
> overflows)
>
> Regards,
>
> Gary "SuperID" Huntress
>
Gary:
Firewalls are a great start. This is the first defence and it sounds like
you're hitting all the useful places: sans.org, securityfocus.com,
rootshell.org. An IDS is always a good call, too, but, it's tough to IDS your
mysql database while keeping it useful, but, it can be done with portsentry
(psionic.com).
WRT looking for the probes, I run across them from time to time, but, since it's
caught by the firewall, I don't really pay too much attention to it. They're
not getting anywhere, anyway. They'd have better chances finding a way to break
the web server.
The biggest concerns are the lpd, named, ftp, rpc, and, now ntp daemons. If
you don't need 'em don't use 'em. If you do, firewall them and restrict access
to your own hosts/networks.
Best Regards,
Van
--
=========================================================================
Linux rocks!!! http://www.dedserius.com
=========================================================================
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
