Mailinglist Archive: opensuse (5130 mails)
| < Previous | Next > |
Intrusion attempts and hosts.deny/hosts.allow
- From: Peter Sutter <sutterp@xxxxxxxxxxxx>
- Date: Fri, 19 May 2006 00:10:40 +0800
- Message-id: <200605190010.40745.sutterp@xxxxxxxxxxxx>
There is some hacker from the outside world trying to get into
mysql . I have ALL : ALL in hosts.deny with specific hosts listed
in hosts.allow.
The guy uses some automated script trying to connect to the mysql
server. The ALL : ALL in hosts.deny results in an entry to the
system log for each failed connection attempt, filling my system
log quite rapidly.
I tried to slow things a but down by listing him in /hosts.allow
with
ALL : 219.156.0.0/16 : twist /bin/echo -e "\n\rAccess from %h
declined\n\rGo away\n\r"; sleep 100
this works perfectly with attacks on the ssh port, but with mysql it
does not work, I get rather a second error message for each
connection attempt:
May 18 23:40:50 basilisk mysqld[26613]: error: /etc/hosts.allow,
line 614: twist option in resident process
and also has the rather annoying side effect of being unable to
start/restart mysql unless the sleep 100 in the twist has expired.
Questions: Why can I feed the hacker with some bullshit with ssh,
but not with mysqld?
What else can I do to stop the log growing too big too fast without
loosing the information of these intrusion attempts?
Peter
mysql . I have ALL : ALL in hosts.deny with specific hosts listed
in hosts.allow.
The guy uses some automated script trying to connect to the mysql
server. The ALL : ALL in hosts.deny results in an entry to the
system log for each failed connection attempt, filling my system
log quite rapidly.
I tried to slow things a but down by listing him in /hosts.allow
with
ALL : 219.156.0.0/16 : twist /bin/echo -e "\n\rAccess from %h
declined\n\rGo away\n\r"; sleep 100
this works perfectly with attacks on the ssh port, but with mysql it
does not work, I get rather a second error message for each
connection attempt:
May 18 23:40:50 basilisk mysqld[26613]: error: /etc/hosts.allow,
line 614: twist option in resident process
and also has the rather annoying side effect of being unable to
start/restart mysql unless the sleep 100 in the twist has expired.
Questions: Why can I feed the hacker with some bullshit with ssh,
but not with mysqld?
What else can I do to stop the log growing too big too fast without
loosing the information of these intrusion attempts?
Peter
| < Previous | Next > |