Archive for October, 2007

dangers about MySQL

Today, I was very angry because personal MySQL database was threatened by other body’s operations. At the end, I changed my personal MySQL settings at all. For example, the listening port, address, and unix socket and so on. Unfortunately, the gay didn’t admit his falsity. It was much worse that the gay is continuing to try to start the default MySQL service which was installed by OS. It’s crazy and foolish operation because global IP address will be binded with port 3306. As we know, it is one of the highly dangerous tcp ports.

Due to these above, I though it was my fault that I had installed the default mysql-server package via yum tool, which brought us all dangers. Too impatient to wait, I made the decision that uninstall the default mysql-server package immediately. Hope all dangers run away off our important server, basil and fennel.

According to my experiences, please allow me to give you some warning as follows.
1. if unnecessary, please remember that do not use mysql-server.
2. if necessary, please don’t forget to change the default settings.
3. global IP address and port 3306 must be forbidden to bind. try to bind localhost and not port 3306.
4. it’s a good idea to use unix socket instead of direct tcp connection in your applications. such as connecting your database server via “localhost:/path/mysql.sock”, because all latter versions of PHP 3.1.0 support this connection method, especially, when you’re using WordPress.

Good luck, please consider my advices. Thank you.


care your sshd’s settings

This is also a correlative topic about OS security, but it will focus on sshd’s settings. If your server has no highly secure requirements, please don’t mind of ignoring this topic. Otherwise, please follow me.

Firstly, change the binding port beyond 22 into other not odinary port, in order to escape from attacking port scanning.
Secondly, deny the permission of remote login directly as root user. We can via the general way that use “su -” to login as root after logining as personal username if you are necessary indeed.
Thirdly, frequently examine your system logs to ensure whether there are scanning or login tracks.
Furthermore, I just suggest you give a login allowable IP list to deny any other not permitted addresses. I think it’s the most secure method to your server.

Attempting to set for the second step, please make sure that there is the authentication setting like “PermitRootLogin no” in your sshd_config file.

Comments (4)