Opening up mysql port should I implement port knocking??

[braindead0]

I'm going to need to open up the mysql port over the net, the mysql daemon is running under a limited user of course, and I do daily backups (of course)..

That being said, the only client that will connect will be using a custom front end application which I could implement port knocking in, but I'm just debating the need...

Obviously, I'd harden my mysql users/passwords..etc.. Just not sure how generally robust mysql is when it comes to hack attempts.

Thanks.
_________________
Poxart

[toxicnaan]

there's a few things you could try...

obviously prot knocking is a good idea, you can't say run a buffer overflow attempt if you can't even connect to an mysql port.

selinux is fun.

also compiling programs with grsecurity / pax can help you from being compromised

running my sql even on non standard archtechture, most buffer overflow attempts are for x86 (the most common platform). compile mysql on amiga or atari st, ..... (68000)..

if you have a fix ip address for your client then you can use iptables to only allow it (watch out for ip spoofing).

using an ipsec tunnel, and binding you mysql to private non internet routable address.

put a firewall between your mysql box and the internet... use snort or a nids to look for suspicous activity.

use a honey pot system, run mysql on a non standard port, redirect your standard mysql port to a honeypot system, keeps em busy while
you can see what they are up to (irc!).

use a wrapper, and running mysql over ssl can be fun too.

use encryption to pervent on the wire sniffing (or for wireless more so, off the wire sniffing)

but, in all security situation, layers security is the best, don't use just one security method, use some or even all.

at the end of the day, some software is just more prone to remote exploits than other's, always subscribed to your products security announcement lists, so you can patch software early, remember if your not subscribed, the script kiddies are watching...