Best thing would be to install fail2ban and try to do some little of of iptables to harden it but I guess fail2ban would be good. <div><br></div><div>:/Mohamed <span></span><br><br>On Monday, September 12, 2016, Dr Paulos Nyirenda <<a href="mailto:paulos@sdnp.org.mw">paulos@sdnp.org.mw</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
We are seeing an online attack on our server 196.45.188.25 in progress right now, they<br>
are targetting mysql services that we are running in relation to our .mw registry servers.<br>
<br>
Tha attack is being run from the following IP addresses which show as Turkey and Romania<br>
origins as shown in the whois.<br>
<br>
5.254.65.9<br>
212.253.62.5<br>
94.122.154.187<br>
<br>
Any ideas on how to prevent attacks on mysql 5.6 on Fedora 20 installations ?<br>
<br>
I can see what they want to modify but I have problems seeing how they got in or as what.<br>
<br>
I am copying this to the abuse contacts on these networks ... does this really work?<br>
<br>
Regards,<br>
<br>
Paulos<br>
======================<br>
Dr Paulos B Nyirenda<br>
<a href="http://NIC.MW" target="_blank">NIC.MW</a> & .mw ccTLD<br>
<a href="http://www.registrar.mw" target="_blank">http://www.registrar.mw</a><br>
<br>
<br>
<br>
[paulos@domwe ~]$ whois 94.122.154.187<br>
[Querying <a href="http://whois.arin.net" target="_blank">whois.arin.net</a>]<br>
[Redirected to <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
[Querying <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '94.122.144.0 - 94.122.159.255'<br>
<br>
% Abuse contact for '94.122.144.0 - 94.122.159.255' is '<a href="javascript:;" onclick="_e(event, 'cvml', 'netadmins@dsmart.com.tr')">netadmins@dsmart.com.tr</a>'<br>
<br>
inetnum: 94.122.144.0 - 94.122.159.255<br>
netname: DOL<br>
remarks: rev-srv: <a href="http://doldns01.dol.com.tr" target="_blank">doldns01.dol.com.tr</a><br>
remarks: rev-srv: <a href="http://doldns02.dol.com.tr" target="_blank">doldns02.dol.com.tr</a><br>
descr: DOL DATACENTER - VAE ADSL DYNAMIC<br>
country: TR<br>
admin-c: DOL22-RIPE<br>
tech-c: DOL22-RIPE<br>
status: ASSIGNED PA<br>
mnt-by: AS12978-MNT<br>
created: 2008-10-14T20:26:59Z<br>
last-modified: 2014-09-15T07:37:47Z<br>
source: RIPE<br>
remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009<br>
<br>
role: DOL Network Services<br>
address: 100. Yil Mahallesi Melda Sk.<br>
address: Dogan TV Center, No:1 34204, Bagcilar - Istanbul<br>
phone: +90 212 3737800<br>
fax-no: +90 212 3802491<br>
admin-c: SA163-RIPE<br>
tech-c: EE278-RIPE<br>
nic-hdl: DOL22-RIPE<br>
mnt-by: AS12978-MNT<br>
mnt-by: TDTB-MNT<br>
created: 2003-10-16T09:25:39Z<br>
last-modified: 2016-05-27T16:00:07Z<br>
source: RIPE # Filtered<br>
<br>
% Information related to '<a href="http://94.122.144.0/20AS12978" target="_blank">94.122.144.0/20AS12978</a>'<br>
<br>
route: <a href="http://94.122.144.0/20" target="_blank">94.122.144.0/20</a><br>
descr: DOL<br>
origin: AS12978<br>
mnt-by: AS12978-Mnt<br>
created: 2014-01-24T08:55:37Z<br>
last-modified: 2014-01-24T08:55:37Z<br>
source: RIPE<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (ANGUS )<br>
<br>
<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$ whois 212.253.62.5<br>
[Querying <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '212.253.56.0 - 212.253.63.255'<br>
<br>
% Abuse contact for '212.253.56.0 - 212.253.63.255' is '<a href="javascript:;" onclick="_e(event, 'cvml', 'abuse@superonline.net')">abuse@superonline.net</a>'<br>
<br>
inetnum: 212.253.56.0 - 212.253.63.255<br>
netname: SOLNET-3<br>
descr: TR-SOLNET-BB-VAE-ANADOLU<br>
country: TR<br>
admin-c: TNA13-RIPE<br>
tech-c: TNA13-RIPE<br>
status: ASSIGNED PA<br>
remarks: infra-aw<br>
mnt-by: MNT-TELLCOM<br>
created: 2011-04-18T13:49:00Z<br>
last-modified: 2013-12-19T21:17:13Z<br>
source: RIPE # Filtered<br>
<br>
role: Tellcom Network Admins<br>
address: Salih Tozan Sk. Karamancilar Is Mrkz. C Blok No:16 34394<br>
address: Esentepe/Sisli/ISTANBUL TURKEY<br>
phone: +90 850 222 4662<br>
fax-no: +90 850 222 4662<br>
admin-c: TK2426-RIPE<br>
tech-c: TK2426-RIPE<br>
nic-hdl: TNA13-RIPE<br>
remarks: ******************************<wbr>***************<br>
remarks: Please send spam and abuse notification only<br>
remarks: to <a href="javascript:;" onclick="_e(event, 'cvml', 'abuse@superonline.net')">abuse@superonline.net</a><br>
remarks: ******************************<wbr>***************<br>
abuse-mailbox: <a href="javascript:;" onclick="_e(event, 'cvml', 'abuse@superonline.net')">abuse@superonline.net</a><br>
mnt-by: MNT-TELLCOM<br>
created: 2007-08-06T06:35:11Z<br>
last-modified: 2016-03-15T09:39:06Z<br>
source: RIPE # Filtered<br>
<br>
% Information related to '<a href="http://212.253.32.0/19AS34984" target="_blank">212.253.32.0/19AS34984</a>'<br>
<br>
route: <a href="http://212.253.32.0/19" target="_blank">212.253.32.0/19</a><br>
descr: Tellcom ADSL<br>
origin: AS34984<br>
mnt-by: MNT-TELLCOM<br>
created: 2009-05-26T08:51:19Z<br>
last-modified: 2016-03-31T12:01:23Z<br>
source: RIPE # Filtered<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (DB-2)<br>
<br>
<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$ whois 5.254.65.9<br>
[Querying <a href="http://whois.arin.net" target="_blank">whois.arin.net</a>]<br>
[Redirected to <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
[Querying <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '5.254.64.0 - 5.254.127.255'<br>
<br>
% Abuse contact for '5.254.64.0 - 5.254.127.255' is '<a href="javascript:;" onclick="_e(event, 'cvml', 'abuse@globalcitytel.com')">abuse@globalcitytel.com</a>'<br>
<br>
inetnum: 5.254.64.0 - 5.254.127.255<br>
netname: Voxility<br>
descr: IPs used by the customers of <a href="http://voxility.com" target="_blank">voxility.com</a><br>
descr: Dimitrie Pompeiu 9-9A, Building 24<br>
descr: Bucharest 020335, Romania<br>
country: RO<br>
admin-c: VOX100-RIPE<br>
tech-c: VOX100-RIPE<br>
status: LIR-PARTITIONED PA<br>
mnt-by: GLOBALCITY-MNT<br>
mnt-lower: GLOBALCITY-MNT<br>
mnt-lower: VOXILITY-MNT<br>
mnt-routes: VOXILITY-MNT<br>
created: 2015-04-29T11:35:35Z<br>
last-modified: 2016-09-06T09:32:58Z<br>
source: RIPE<br>
<br>
person: Voxility NOC<br>
remarks: Team in Charge of Voxility Global IP<br>
remarks: Backbone Management<br>
remarks: Available 24/7 for routing issues and security incidents<br>
org: ORG-SVS8-RIPE<br>
address: Dimitrie Pompeiu 9-9A, Building 24<br>
address: Bucharest 020335, Romania<br>
remarks: <a href="javascript:;" onclick="_e(event, 'cvml', 'noc@voxility.com')">noc@voxility.com</a><br>
abuse-mailbox: <a href="javascript:;" onclick="_e(event, 'cvml', 'abuse@voxility.com')">abuse@voxility.com</a><br>
remarks: +1.703-888-5811 (US)<br>
remarks: +49.69-957-98952 (Germany)<br>
remarks: +44 20-3355-1458 (UK)<br>
phone: +40212074774<br>
nic-hdl: VOX100-RIPE<br>
mnt-by: VOXILITY-MNT<br>
created: 2012-08-04T15:50:52Z<br>
last-modified: 2013-10-07T19:48:57Z<br>
source: RIPE # Filtered<br>
<br>
% Information related to '<a href="http://5.254.64.0/20AS3223" target="_blank">5.254.64.0/20AS3223</a>'<br>
<br>
route: <a href="http://5.254.64.0/20" target="_blank">5.254.64.0/20</a><br>
descr: <a href="http://voxility.net" target="_blank">voxility.net</a><br>
origin: AS3223<br>
mnt-by: VOXILITY-MNT<br>
created: 2016-01-20T16:03:15Z<br>
last-modified: 2016-01-20T16:03:15Z<br>
source: RIPE<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (ANGUS)<br>
<br>
<br>
[paulos@domwe ~]$<br>
------------------------------<wbr>----------------------------<br>
Malawi SDNP Webmail: <a href="http://www.sdnp.org.mw" target="_blank">http://www.sdnp.org.mw</a><br>
Access your Malawi SDNP e-mail from anywhere in the world.<br>
------------------------------<wbr>----------------------------<br>
<br>
<br>
______________________________<wbr>_________________<br>
afnog mailing list<br>
<a href="https://www.afnog.org/mailman/listinfo/afnog" target="_blank">https://www.afnog.org/mailman/<wbr>listinfo/afnog</a><br>
</blockquote></div>