1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

mysql vulnerability

Discussion in 'Plesk for Linux - 8.x and Older' started by faris, Jan 27, 2005.

  1. faris

    faris Guest

    I've done a search and found nothing in the form on this, so I hope I'm not ducplicating effort.

    It seems there's a mysql vulnerability of some sort out there that nobody knows much about:

    Now my main server is behind a firewall I have no control over, but which I know has worked very well in the past. However, it allows connections on port 3306 through.

    What I want to do is, using iptables, insert a rule that blocks external access to port 3306 on my server *except* from a certain IP address ( a particular customer who needs external mysql access).

    iptables is something I've been wanting to get my head around for ages, but I've never got round to. I've found plenty of resources but don't have much time to digest them.

    So could some generous person please post a quick-n-dirty "block external mysql access to everybody except x.x.x.x"

    I'm going to start experimenting as I type this, but I'm half afraid I'll block mysql access locally or univerally, which would be bad!


    ## edited to add:

    OK, well, here's what I think I need to do. Somebody please correct me if I'm wrong.

    I decided to do things the "neat" way by creating a new chain called "sql".

    iptables -N sql

    Next, in the main INPUT chain, Insert (at top of chain) a rule to divert all packets for port 3306 into the sql chain:

    iptables -I INPUT -p udp --dport 3306 -j sql

    Now, in the sql chain, insert (as first entry), a rule to deny everything

    iptables -I sql -j DROP

    Then Insert (at top) an entry to allow access from ip address X.X.X.X

    iptables -I sql -s X.X.X.X -j ACCEPT

    Thus the rule works like this:
    Is it mysql? If yes, go to sql chain. If no, carry on processing through whatever rules you already have set up

    If it is mysql:

    Is it from X.X.X.X? If so, let it in.
    If not, just drop it.

    What I don't know at this stage is how local access to mysql is affected by these rules.

    ## Yet more editing:
    I failed to notice that this particular vulnerability seems to be Windows only, not Linux. Still, it is best to secure all ports that don't need to be open to all, and I've learned a great deal about iptables, so it wasn't a wasted effort. However, I'm still curious to know if it is necessary to do something about local host access to port 3306. I've now implemented the above and tested it, and it seems to work. But I am wondering if I might need to add "iptables -I sql -i lo -j ACCEPT" or something along those lines?