mysql security logging

If you have people connecting to mysql you have already seriously messed up. You need to change your firewall settings to make sure that only trusted hosts can connect and no one else.

An attacker could easily summon a bot net of 1,000,000 in size to brute force your mysql server. You need a white list approach to this problem.


An option is to setup OSSEC (Host-Based Intrusion Detection System):

The default mysql ruleset includes checking for:

rule-id-50105 Database authentication success.

rule-id-50106 Database authentication failure.

rule-id-50107 Database query.

rule-id-50108 User disconnected from database.

rule-id-50120 Database shutdown messge.

rule-id-50121 Database startup message.

rule-id-50125 Database error.

rule-id-50126 Database fatal error.

rule-id-50180 Multiple database errors.

http://www.ossec.net/doc/rules/rules/50_mysql_rules.xml.html

The alerts provide some of the information you want (e.g. timestamp, datetime, username). You can also easily create your own OSSEC rules to capture more details or to create complex rules and actions.