I have a global rule allowing MySQL traffic through to my MySQL server. This is configured with a port set with one port 3306 defined.
I have been getting a lot of hits from China IPs that Google shows as having been talked about regularly on other security forums. It looks like someone is trying to brute force MySQL.
I opened my global rule and tried to add a ‘From’ IP, which is a web server that makes the connection, in order to block these scumbags. However, when I enter the IP4 address and click OK, the rule displays 255.255.255.255 in the summary. When I open it up it’s set to 255.255.255.255. This also happens in applications rules.
Any ideas? I’m under attack and either my understanding on how this feature should work is wrong or this is a serious bug. Either way I will probably have to look in to an alternative if I can’t figure it out. Any help will be greatly appreciated.
I managed to get the IP to save… I had to type it in, copy paste was not inputting the IP properly. However, now that the ‘from’ IP is set, my web server can’t connect. Instead I get a popup on the MySQL server, as if I didn’t set the rule, asking me if I want the very same IP to connect. If I say yes, it makes a new, broad ‘allow all’ rule for the MySQL application.
This is very frustrating. It’s as if I haven’t configured anything. Can I not add the ‘from’ address in my port rule? I can add a second rule above the port rule with the IP white-list, but why give me the option to save a ‘from’ IP in the port rule if I have to make a second IP rule.
Will check. You mean frequency affects the automatic rule created after I accept a popup? But I’m trying to manually configure a rule. This has got to be a bug. Otherwise it is a very poorly designed process/interface. At the very least it’s not intuitive at all.
Comodo does have a lot of options and they can be a bit much at first. Also had that with typing it in, and if there is one character per block you have to add two zeros to make it right. Copy and paste would be GREAT in this case.
If your server is on the same IP as the attacking IP, how can that be?
Then what about MySQL, does it have specific ports to connect to over specific protocol? FTP, UDP?
Perhaps with that info you can specifically make a rule for MySQL while keeping the attacker outside with filters.
Put the alerts up high and don’t use Create Rules For Save Application. Perhaps that will also give you more control over what connections MySQL actually has.
Can you post logs of the attacking events as well as the allow message that reverts the initial rule? Perhaps that can help?
If your server is on the same IP as the attacking IP, how can that be? - It’s not. I’m not sure how you got that impression.
I think you have gone off on a bit of a tangent… but I do appreciate the help as there’s not much else any one else has to say:)
I’m not really a beginner, and I like a lot of options. But the new interface is illogical, and in cases, just seems to plain not work.
To help you understand my issue (and anyone else) I have one remaining problem.
Saving a ‘From’ IP in my custom port application ‘allow in’ rule fails to act as I expect. When the connection is legitimately attempted from my webserver, it is blocked by comodo and I get a popup asking me if I want to accept a connection from the IP (that I already allowed). If I accept that, it creates a new, broad application rule to allow all inbound form that IP. This is in addition to the rule I created, which locks down a port (to and from 3306) and specifies a ‘from’ IP, my web server. This is to block brute force attempts from unknown IPs.
I hope that has clarified my situation.
Either way I’m looking into competitors. Custom rules shouldn’t be this hard to administer. It was far simpler on the previous version in my opinion. And that wasn’t the best as it was.
Well Comodo Firewall is not a server grade firewall. And firewall alert frequency has always controlled the granularity of inspection to firewall traffic from simple IN/OUT direction to having fully qualified socket (IP:PORT).
If your looking to create detail firewall rules you need to be running in custom policy mode and alert frequency of high.
“If your looking to create detail firewall rules you need to be running in custom policy mode and alert frequency of high.”
OK will try that. And yes, I understand it’s not enterprise strength (my needs don’t require it). But it’s not unreasonable that one would expect features presented in the UI to function as they imply. i.e. If you allow me to set a from IP within a port rule, then I expect it to allow traffic over that port, from that IP, and no others.
I’ll take this to the bug section as no one has been able to show me that this is expected behaviour,
“If your looking to create detail firewall rules you need to be running in custom policy mode and alert frequency of high.”
What I do now. Scared at first but now in control. You don’t need a hardware or server firewall, just turn off all the automatic settings in Comodo and do all the rules yourself. Also don’t forget to turn off “make rules of save applications”.
All the best and please report back and perhaps give a details log of all your Firewall settings. Basically custom policy and high alerts should get you going.