我需要为 MySQLd 打开网络,但每次我这样做时,服务器都会被强制遗忘。一些平均密码猜测脚本开始在服务器上敲击,在端口 3306 上打开连接并永远尝试随机密码。
我怎样才能阻止这种情况发生?
对于 SSH,我使用拒绝主机,效果很好。有没有办法让拒绝主机与 MySQLd 一起工作?
我也考虑过更改 MySQL 运行的端口,但这并不理想,只是一个权宜之计(如果他们发现新端口怎么办?)
有没有人有任何其他想法?
如果它有所不同,我在 FreeBSD 6.x 上运行 MySQL 5.x。
问问题
2219 次
4 回答
4
防火墙mysql端口出。但这属于服务器故障领域,我相信。
于 2009-09-22T19:26:05.013 回答
2
I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)
The stupid bots are the ones that are constantly bashing themselves aginst your port and they don't look for new ports. Move to a different port and you now only have to worry about people who are trying to hack you, rather than the internet background noise of compromised machines scanning random hosts. This is a great improvement.
If you need to let only a few specific machines through to your database you could consider an SSH tunnel between local ports on the database and client machines. It's fairly rare you really want to open a database port to the public internet.
于 2009-09-22T19:58:10.953 回答
0
限制单个主机可以发出的不成功请求的数量。
于 2009-09-22T19:24:13.817 回答
0
我相信将端口号从默认端口号 (3306) 更改为其他端口号不会提高安全性,但在大多数情况下会有所帮助(至少有一点)。您是否在实践中尝试过或仅考虑过?
于 2009-09-22T19:26:34.357 回答