• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

mysql vulnerability

F

faris

Guest
I've done a search and found nothing in the form on this, so I hope I'm not ducplicating effort.

It seems there's a mysql vulnerability of some sort out there that nobody knows much about:
http://news.zdnet.co.uk/0,39020330,39185529,00.htm

Now my main server is behind a firewall I have no control over, but which I know has worked very well in the past. However, it allows connections on port 3306 through.

What I want to do is, using iptables, insert a rule that blocks external access to port 3306 on my server *except* from a certain IP address ( a particular customer who needs external mysql access).

iptables is something I've been wanting to get my head around for ages, but I've never got round to. I've found plenty of resources but don't have much time to digest them.

So could some generous person please post a quick-n-dirty "block external mysql access to everybody except x.x.x.x"

I'm going to start experimenting as I type this, but I'm half afraid I'll block mysql access locally or univerally, which would be bad!

Faris.


## edited to add:

OK, well, here's what I think I need to do. Somebody please correct me if I'm wrong.

I decided to do things the "neat" way by creating a new chain called "sql".

iptables -N sql

Next, in the main INPUT chain, Insert (at top of chain) a rule to divert all packets for port 3306 into the sql chain:

iptables -I INPUT -p udp --dport 3306 -j sql

Now, in the sql chain, insert (as first entry), a rule to deny everything

iptables -I sql -j DROP

Then Insert (at top) an entry to allow access from ip address X.X.X.X

iptables -I sql -s X.X.X.X -j ACCEPT

Thus the rule works like this:
Is it mysql? If yes, go to sql chain. If no, carry on processing through whatever rules you already have set up

If it is mysql:

Is it from X.X.X.X? If so, let it in.
If not, just drop it.

What I don't know at this stage is how local access to mysql is affected by these rules.

## Yet more editing:
I failed to notice that this particular vulnerability seems to be Windows only, not Linux. Still, it is best to secure all ports that don't need to be open to all, and I've learned a great deal about iptables, so it wasn't a wasted effort. However, I'm still curious to know if it is necessary to do something about local host access to port 3306. I've now implemented the above and tested it, and it seems to work. But I am wondering if I might need to add "iptables -I sql -i lo -j ACCEPT" or something along those lines?
 
Back
Top