Conexões Suspeitas ao Meu Banco de Dados x.x.x.x Não Podem Ser Resolvidas

1

Eu tenho algum conteúdo dinâmico no meu site que obtém dados de um banco de dados de um servidor MySQL remoto. Eu recentemente reconstruí esse servidor e vi alguma atividade estranha em meus logs. Eu procurei um par desses IPs e eles aparecem como chinês, e em fóruns de segurança, etc. Então, eu estou supondo que alguém está tentando forçar meu banco de dados.

Alguém pode sugerir como posso reforçar minha segurança aqui? Eu li a exposição de um banco de dados MySQL para a rede é um risco de segurança, mas os dados são atualizados semi regularmente nesse servidor e não posso configurar a replicação para o meu host para manter conexões locais (e, assim, fechar o meu MySQL portas no servidor remoto).

Eu tenho usuários específicos configurados para acesso remoto com acesso limitado e senhas strongs. Eu deveria estar fazendo algo diferente?

IP address '123.108.223.200' could not be resolved: The requested name is valid, but no data of the requested type was found.
IP address '116.255.210.59' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '116.255.210.59' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '180.69.254.133' could not be resolved: No such host is known.
Host name 'WIN-4K2ASOOQOO9' could not be resolved: No such host is known.
Host name 'WIN-4K2ASOOQOO9' could not be resolved: No such host is known.
Hostname '142-118-74-198-dedicated.multacom.com' does not resolve to '198.74.118.142'.
Hostname '142-118-74-198-dedicated.multacom.com' has the following IP addresses:
- 204.13.152.7
IP address '182.84.98.165' could not be resolved: No such host is known.
IP address '207.47.16.69' has been resolved to the host name '207.47.16.69.static.nextweb.net', which resembles IPv4-address itself.
IP address '207.47.16.69' has been resolved to the host name '207.47.16.69.static.nextweb.net', which resembles IPv4-address itself.
IP address '207.47.16.69' has been resolved to the host name '207.47.16.69.static.nextweb.net', which resembles IPv4-address itself.
Host name 'unassigned.psychz.net' could not be resolved: No such host is known.
IP address '112.175.66.51' could not be resolved: No such host is known.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
Host name 'IDC-A4333C3EFF4' could not be resolved: No such host is known.
Host name 'IDC-A4333C3EFF4' could not be resolved: No such host is known.
IP address '173.208.94.206' could not be resolved: No such host is known.
IP address '111.26.200.24' could not be resolved: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
    
por square_eyes 15.06.2014 / 09:31

1 resposta

2

A maneira canônica de bloquear um endereço IP específico é via iptables . No CentOS, esse seria o comando:

$ iptables -A INPUT -s 2.4.6.8 -j DROP

Em que 2.4.6.8 é o endereço IP do servidor que você bloqueia .

No entanto, eu sugiro bloquear por padrão todas conexões para a porta 3306 (MySQL) e permitir somente aqueles endereços que você espera (por exemplo, uma lista branca ):

$ iptables -N mysql
$ iptables -A mysql --src 1.2.3.4 -j ACCEPT
$ iptables -A mysql -j DROP
$ iptables -I INPUT -m tcp -p tcp --dport 3306 -j mysql

Em que 1.2.3.4 é o endereço IP do servidor que você deseja permitir .

Os comandos acima foram bastante adaptados de esta resposta SO .

    
por 15.06.2014 / 09:48

Tags