Preventing brute-force attacks on MySQL?

Question

I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.

How can I stop this from happening?

For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

Does anyone have any other ideas?

If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.

Answer 1

I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)

The stupid bots are the ones that are constantly bashing themselves aginst your port and they don't look for new ports. Move to a different port and you now only have to worry about people who are trying to hack you, rather than the internet background noise of compromised machines scanning random hosts. This is a great improvement.

If you need to let only a few specific machines through to your database you could consider an SSH tunnel between local ports on the database and client machines. It's fairly rare you really want to open a database port to the public internet.

Answer 2

I believe changing the port number from the default one (3306) to some other doesn't improve the security but helps in most cases (at least a bit). Have you tried that in practice or only considered?

Answer 3

Firewall mysql port out. But this belongs to the serverfault realm, I believe.

Answer 4

Limit the number of unsuccessful requests a single host can make.