One thing you should do to protect your MySQL 'instance' , is have it running
on a system 'behind' your 'front line' defenses (i.e. Firewall) and not 'on
it'.
Setup MySQL to listen only on the interface that your webserver or other
'client' is communicating on (we have a 'private' network connecting the
application webservers to the MySQL server via 2nd set of network cards, with
the MySQL 'ports' only accessible via that network, which takes some
"ipchains" configuration).
Also, the user list, should have only the 'host names' (i.e. "web1_private")
that are allocated via the 'private' net (so that users coming in from the
regular network have no 'permissions' or login entries). NOTE: by only
'registering' the 'private' host names in the "/etc/hosts" files, you can use
the 'underscore' ("_") character in the hostname, which is 'illegal' in the
newer BIND (DNS) versions, protecting you from anyone trying to gain access
by 'spoofing' the hostname...
Gary Huntress wrote:
> My firewall has denied and logged several of the following messages:
>
> Packet log: input DENY eth0 PROTO=6 192.168.0.1:37656 66.31.176.185:3306
> L=40 S=0x00 I=26581 F=0x0000 T=39 (#2)
>
> As you can see, it is a spoofed IP trying to connect to the mysql port.
> I've looked around at basic security sites (sans.org, whitehats.com) and
> haven't found any documentation of specific exploits against MySQL.
>
> My questions are 1) do others typically see this? 2) what do you do? (my
> guess is, not much) 3) Are there other security measures I should be
> taking? and finally 4) are there any documented MySQL exploits? (buffer
> overflows)
>
> Regards,
>
> Gary "SuperID" Huntress
>
