PF with Mysql & Payloads hack

[Gio01]

On the server I have installed PF. But this firewall blocks connections made ​​with the payloads? Since I'm living a nightmare in my server. There will be some person and who manage to enter the mysql server with payloads, without putting data and more. This is my configuration:

http://forums.freebsd.org/showpost.php?p=178574&postcount=1

Thank you for the help.

 

[SirDice]

Don't allow access from the internet to your database server, period.

PF is not going to help you as it only works on layer 3/4. You want something above layer 7.

 

[Gio01]

Ah ok, and what is recommended to install on the server? Block all traffic outgoing server and accept only local traffic?

 

[SirDice]

I've asked this before but we never got a decent answer, what exactly are you trying to protect against?

 

[Gio01]

MySQL server. The server in question is attacked by hackers.

 

[SirDice]

The server in question is attacked by Hackers.

How?

And read my first remark on post #2.

 

[Gio01]

I am sorry, my English is not good because I am from Italy and I don't know much. It is attacked with payloads metasploit for MySQL made by blackhat. I am sure I can block but I don't know which product is good for me. Layer 7? What product do you reccommend?

 

[SirDice]

There are currently no known vulnerabilities with MySQL.

In any case, this will solve your problem:

block in from any to any port 3306

 

[Gio01]

Ok, but that will block all traffic, including the local one? Why does the MySQL server work well at times on some external IP to receive queries and information?

 

[SirDice]

Why the mysql server works well at times on some external ip to receive queries and information.

Don't allow access to your database from the internet.

 

[Gio01]

My current rules are:

Root@localhost
root@Ip

just

Root@%   locked

 

[SirDice]

Those aren't rules, those are accounts on your database. It's no wonder you keep getting hacked.

I highly recommend NOT using the root account. Create a normal account with just enough privileges to access the data it needs.

As for access from the internet, in /etc/rc.conf:

mysql_enable="YES"
mysql_args="--bind-address=127.0.0.1"

And restart MySQL.

 

[Gio01]

Yes, I have a different configuration for user. I have forgotten to set up my.cnf. I told you if it fixes my issue.
Thank you.
EDIT:

I put what you said. But to listen to only a certain IP I should enter always:

mysql_args = "- bind-address = ip"

?

 

[Deleted member 30996]

I am sorry, my English is not good because I am from Italy and I don't know much. It is attacked with payloads metasploit for MySQL made by blackhat. I am sure I can block but I don't know which product is good for me. Layer 7? What product do you reccommend?

If you can put another box in front of your server pfSense is very nice.

It's free and will run great on an old box if you happen to have one.

 

[Gio01]

Hello, the bug is discovered: http://www.ehackingnews.com/2012/06/critical-security-vulnerability-in.html

This I have.

 

[SirDice]

As far as I know MySQL on FreeBSD isn't vulnerable. Besides, the patched version has been in the ports for quite some time.