防止对 MySQL 的暴力攻击?
我需要为 MySQLd 打开网络,但每次我这样做时,服务器都会被暴力破解。一些卑鄙的密码猜测脚本开始攻击服务器,在端口 3306 上打开连接并永远尝试随机密码。
我怎样才能阻止这种情况发生?
对于 SSH,我使用 denyhosts,效果很好。有没有办法让 DenyHosts 与 MySQLd 一起工作?
我也考虑过更改 MySQL 运行的端口,但这不太理想,只是一个权宜之计(如果他们发现新端口怎么办?)
还有人有其他想法吗?
如果有什么不同,我在 FreeBSD 6.x 上运行 MySQL 5.x。
I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.
How can I stop this from happening?
For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?
I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)
Does anyone have any other ideas?
If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
防火墙 mysql 端口出局。但我相信这属于服务器故障领域。
Firewall mysql port out. But this belongs to the serverfault realm, I believe.
愚蠢的机器人是那些不断攻击你的端口的机器人他们不寻找新的港口。转移到不同的端口,您现在只需担心试图攻击您的人,而不用担心受感染机器扫描随机主机的互联网背景噪音。这是一个很大的进步。
如果您只需要让少数特定计算机连接到您的数据库,您可以考虑在数据库本地端口和客户端计算机之间建立 SSH 隧道。您真正想要向公共互联网开放数据库端口的情况相当罕见。
The stupid bots are the ones that are constantly bashing themselves aginst your port and they don't look for new ports. Move to a different port and you now only have to worry about people who are trying to hack you, rather than the internet background noise of compromised machines scanning random hosts. This is a great improvement.
If you need to let only a few specific machines through to your database you could consider an SSH tunnel between local ports on the database and client machines. It's fairly rare you really want to open a database port to the public internet.
限制单个主机可以发出的不成功请求的数量。
Limit the number of unsuccessful requests a single host can make.
我相信将端口号从默认端口号 (3306) 更改为其他端口号不会提高安全性,但在大多数情况下会有所帮助(至少有一点)。您在实践中尝试过还是只是考虑过?
I believe changing the port number from the default one (3306) to some other doesn't improve the security but helps in most cases (at least a bit). Have you tried that in practice or only considered?