Database Templates

Protection templates for database servers.

mysqld-auth

MySQL/MariaDB authentication failures.

Setting	Default
Port	3306
Log Path	/var/log/mysql/error.log
Max Retry	5
Find Time	10 minutes
Ban Time	1 hour

Detected Patterns

Access denied for user 'username'@'192.168.1.100'

Log Path Options

Server	Default Path
MySQL (Debian)	/var/log/mysql/error.log
MariaDB (Debian)	/var/log/mysql/error.log
MySQL (RHEL)	/var/log/mysqld.log
MariaDB (RHEL)	/var/log/mariadb/mariadb.log

Configuration Requirements

Ensure MySQL logs authentication failures:

# my.cnf
[mysqld]
log_error = /var/log/mysql/error.log
log_warnings = 2

mongodb-auth

MongoDB authentication failures.

Setting	Default
Port	27017
Log Path	/var/log/mongodb/mongod.log
Max Retry	5
Find Time	10 minutes
Ban Time	1 hour

Detected Patterns

• Authentication failed from client
• Connection accepted (for rate limiting)

Log Path Options

Setup	Default Path
Standard	/var/log/mongodb/mongod.log
Docker	Container log streaming required

Configuration Requirements

Enable authentication logging:

# mongod.conf
systemLog:
  destination: file
  path: /var/log/mongodb/mongod.log
  logAppend: true

security:
  authorization: enabled

Security Recommendations

Don't Expose to Internet

Databases should generally not be directly accessible from the internet:

1. Firewall rules: Only allow trusted IPs
2. VPN/SSH tunnel: Access via secure tunnel
3. Bind to localhost: bind-address = 127.0.0.1

Use fail2ban as Second Layer

Even with proper network configuration, enable these jails:

• Catches internal network attacks
• Protects against compromised hosts
• Logs attack attempts for analysis

Strict Settings for Public Databases

If database must be public (not recommended):

maxretry: 3
findtime: 5m
bantime: 24h

Combine with Application Protection

Attackers may try:

1. Direct database connection
2. SQL injection via web app
3. Credential stuffing

Enable both database jails AND web application jails.