denyhosts-like app for MySQLd?

[Jordi Espasa Clofent]

> I know it's not easy. but depending on your customers, you may have some 
> chances!
> - if they can buy a license for sqlyog, it will support sql tunnels 
> directly (otherwise, you need an external tunnel, which you can setup 
> with putty or whatever).

This option is, simply, impossible. We cannot "force" the final 
customers to adquire any kind of product.

> - it should not be hard to use an ssl tunnel (stunnel or whatever)

Mmmmm.... it means easier than ssh-tunneling (from customers pint of 
view). I have to investigate this method carefully.

> - you might be able to ask what IPs are supposed to get there. even if 
> it's not precise, this could reduce risks by only allowing few networks.

Yes. We already have done it, but the related problem is a lot of 
customers don't have static IPs.

> This is generally consider "security by obscurity". I don't think so. 
> This is making it harder for an attacker to get there without being 
> noticed. while a script kiddie can run his script to try a stand port, 
> if he wants to get inside a "local" port, he'll need to try many ports 
> and for each port try the right protocol. This gives us time to get him.

;)

-- 
Thanks,
Jordi Espasa Clofent