MySQL Forums
Forum List  »  Security

How to prevent brute force attacks ?
Posted by: media forest
Date: April 17, 2008 05:56AM

Hello, everybody,
Yesterday, my MySQL server has been "brute force" attacked.
Of course,I looked for informations about that in google and here, but I didn't found any useful information on this kind of attack in the case of Mysql.

my /var/log/mysql.log is filled since last night with thousands of:

080416 16:57:57 286051 Connect Access denied for the user:'root'@'' (using password: YES)
080416 16:57:58 286052 Connect Access denied for the user: 'root'@'' (using password: YES)
080416 16:57:59 286053 Connect Access denied for the user: 'root'@'' (using password: YES)
080416 16:58:01 286054 Connect Access denied for the user: 'root'@'' (using password: YES)

at the rate of about one per second.
The host was neither "pingable", nor "resolvable", I have to use iptraf to identify in real time the IP of the host making connections on port 3306 of my box, to finally be able to block it by hand using iptables rules.

I seeked in Mysql's docs for an option which could be used to reject a
host after a certain number of failed login attempts, but I didn't find anything... Except the parameter "max connect errors" which should apply but which doesn't in this case : although configured to 10, thousands of login attempts were recorded without causing any blocking.

I suppose, that it is possible to configure fail2ban to scans mysql.log, but the problem in my case is that the attacker's host name was not "resolvable", and without an IP it seems that iptable can't act.
Furthermore, the use of mysql.log is described as a performance killer and I heard that it should be obsoleted in next Mysql versions.

I would be really surprised if MySQL didn't own a mechanism to prevent such an attack, so I think I might have missed something and I'm asking if anyone here could help me to find a solution.

Options: ReplyQuote

Written By
How to prevent brute force attacks ?
April 17, 2008 05:56AM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.