1 |
Lord Sauron wrote: |
2 |
> Sorry to be a bit elementary, but if you're not colocating your box, |
3 |
> and you don't often use SSH, you might want to consider disabling |
4 |
> remote administrative things. |
5 |
|
6 |
Of course - disable everything, that you don't need. ESPECIALLY, if it |
7 |
is reachable over the network. |
8 |
|
9 |
> All your Windoze "friend" will try to do is exploit MySQL to pop a DOS |
10 |
> shell into your system. |
11 |
|
12 |
How do you know? |
13 |
|
14 |
> If you can't disable SSH for some reason, then limit MySQL access to |
15 |
> localhost only. |
16 |
|
17 |
I'd even suggest to make MySQL "skip-networking". If that's set |
18 |
in my.cnf, MySQL won't be available via TCP over a network and |
19 |
can only be reached over a Unix socket. Maybe that's what you |
20 |
meant, but I just fealt like adding that :) |
21 |
|
22 |
> If you can, what I'd do is try and get the guy's MAC Address or |
23 |
> something and then totally block that off. |
24 |
|
25 |
How should *THAT* help? In 99.9999999999999999999999999999999% of |
26 |
the times, the attacker won't be on the same subnet, and thus the |
27 |
MAC isn't available. |
28 |
|
29 |
You can try to block me, my MAC will be either 00:12:17:D4:21:D4 |
30 |
or 00:12:17:D4:21:D2. Just tell me, where you blocked me using |
31 |
my MAC and I'll see if I can still access. |
32 |
|
33 |
Alexander Skwar |
34 |
-- |
35 |
"But this one goes to eleven." |
36 |
-- Nigel Tufnel |
37 |
-- |
38 |
gentoo-user@g.o mailing list |