Auto-Discourage MySQL brutforce login attempts

Question

I noticed in one of my MySQL server that a remote attacker tried around 2000 login attempts in one night using 'root' and 'admin' usernames over 'mysql' system database. Luckily, I had setup mysql's query-log into a file log for monitoring purpose, and the passwords were difficult.

My database server survived that attack, even though it received almost one login attempt per second during the off-hours at (night).

There were around 10 different IPs with the same attack behavior all together, most of them having 'good reputation' in blacklist checking.

In this case, changing the database password may not be a good protective idea.

Is there a way to discourage such mis-behavior? For example, if there are about 5 wrong login attempts in short time, deny them the service?

How do MySQL experts handle this attack in case the MySQL port is open for remote login? A lot of servers might be facing this kind of silent login attempts.

Answer 1

I recommend Fail2Ban. This is a script that watches logfiles for any patterns (e.g. failed logins) and creates then a firewall rule to prevent that IP to access your server. You can configure how many failed logins are necessary and for how long the access should be denied before the firewall rule is removed.

With fail2ban you can also watch ssh logins, mail accounts or event your own web-application logfile for malicious logins/behaviour.

As a general hint: rename your root/admin account to something else, so that they will never success anyway and change the public mysql port of your server (which is both just obscurity, but no real security). Also you should disable remote login for accounts (which is security).