# PF with Mysql & Payloads hack



## Gio01 (May 27, 2012)

On the server I have installed PF. But this firewall blocks connections made â€‹â€‹with the payloads? Since I'm living a nightmare in my server. There will be some person and who manage to enter the mysql server with payloads, without putting data and more. This is my configuration:

http://forums.freebsd.org/showpost.php?p=178574&postcount=1

Thank you for the help.


----------



## SirDice (May 29, 2012)

Don't allow access from the internet to your database server, period.

PF is not going to help you as it only works on layer 3/4. You want something above layer 7.


----------



## Gio01 (May 29, 2012)

Ah ok, and what is recommended to install on the server? Block all traffic outgoing server and accept only local traffic?


----------



## SirDice (May 29, 2012)

I've asked this before but we never got a decent answer, what exactly are you trying to protect against?


----------



## Gio01 (May 29, 2012)

MySQL server. The server in question is attacked by hackers.


----------



## SirDice (May 29, 2012)

Gio01 said:
			
		

> The server in question is attacked by Hackers.


How?

And read my first remark on post #2.


----------



## Gio01 (May 29, 2012)

I am sorry, my English is not good because *I* am from *I*taly and *I* don't know much. It is attacked with payloads metasploit for MySQL made by blackhat. I am sure *I* can block but *I* don't know which product is good for me. Layer 7? What product do you reccommend?


----------



## SirDice (May 29, 2012)

There are currently no known vulnerabilities with MySQL.

In any case, this will solve your problem:

```
block in from any to any port 3306
```


----------



## Gio01 (May 29, 2012)

Ok, but that will block all traffic, including the local one? Why does the MySQL server work well at times on some external IP to receive queries and information?


----------



## SirDice (May 29, 2012)

Gio01 said:
			
		

> Why the mysql server works well at times on some external ip to receive queries and information.


Don't allow access to your database from the internet.


----------



## Gio01 (May 29, 2012)

My current rules are: 

```
Root@localhost
root@Ip
```
just

```
Root@%   locked
```


----------



## SirDice (May 29, 2012)

Those aren't rules, those are accounts on your database. It's no wonder you keep getting hacked.

I highly recommend NOT using the root account. Create a normal account with just enough privileges to access the data it needs.

As for access from the internet, in /etc/rc.conf:

```
mysql_enable="YES"
mysql_args="--bind-address=127.0.0.1"
```
And restart MySQL.


----------



## Gio01 (May 29, 2012)

Yes, *I* have a different configuration for user. I have forgotten to set up my.cnf. I told you if it fixes my issue.
Thank you.
EDIT:

I put what you said. But to listen to only a certain IP I should enter always: 

```
mysql_args = "- bind-address = ip"
```
?


----------



## Deleted member 30996 (Jun 2, 2012)

Gio01 said:
			
		

> I am sorry, my English is not good because *I* am from *I*taly and *I* don't know much. It is attacked with payloads metasploit for MySQL made by blackhat. I am sure *I* can block but *I* don't know which product is good for me. Layer 7? What product do you reccommend?



If you can put another box in front of your server pfSense is very nice.

It's free and will run great on an old box if you happen to have one.


----------



## Gio01 (Jun 14, 2012)

Hello, the bug is discovered: http://www.ehackingnews.com/2012/06/critical-security-vulnerability-in.html

This *I* have.


----------



## SirDice (Jun 15, 2012)

As far as I know MySQL on FreeBSD isn't vulnerable. Besides, the patched version has been in the ports for quite some time.


----------

