How to Hide TiDB Telnet Probe Version

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: 如何隐藏tidb telnet探测版本

| username: bryanz

【TiDB Usage Environment】Production Environment
【TiDB Version】v7.1.2
【Reproduction Path】
【Encountered Problem: Problem Phenomenon and Impact】How it affects the following versions
【Resource Configuration】
【Attachments: Screenshots/Logs/Monitoring】

| username: 小龙虾爱大龙虾 | Original post link

Try modifying the version system variable, just a guess.

| username: zhanggame1 | Original post link

Some advanced firewalls should be able to handle this technically; application software cannot solve this problem.

| username: changpeng75 | Original post link

A firewall probably won’t solve the issue either, because a firewall can’t determine whether a login has occurred. This functionality should be implemented by the software itself. However, it seems that MySQL doesn’t support this either.

| username: 有猫万事足 | Original post link

This is part of the MySQL handshake protocol.

It is even specifically emphasized as human readable in the MySQL documentation.

So you either completely close this port (if TCP is open and can connect, a handshake will definitely occur), or change the version configuration to give it a fake one.

But I feel that if you don’t want to see it at all, the most direct and safest way is to simply not allow access to the machine that needs to access this port.

| username: TiDBer_jYQINSnf | Original post link

Block unnecessary IPs from connecting to this port using a firewall.
Alternatively, set up a proxy in front that only allows proxy access to TiDB.
If neither of these options is feasible, you will have to modify the source code.

| username: TiDBer_jYQINSnf | Original post link

  1. Configure the firewall to block unnecessary IP access to port 4000.
  2. Place a proxy in front of TiDB, allowing only the proxy to access TiDB’s port.
  3. Modify the source code and compile it yourself.
| username: 啦啦啦啦啦 | Original post link

It’s easier to just change to a fake version.

| username: bryanz | Original post link

There’s no way around it, it has to be external. I see that for MySQL, you can only modify the source code to change it.

| username: bryanz | Original post link

The main thing is not to let outsiders know that this is a database.

| username: zhanggame1 | Original post link

Except for unplugging the network cable, it’s not possible.

| username: xingzhenxiang | Original post link

Only allowing intranet connections should be fine. My database can’t connect to the external network either.

| username: dba远航 | Original post link

Use a firewall to block unauthorized IPs from accessing.

| username: 哈喽沃德 | Original post link

Just set up a whitelist on the operating system firewall, allowing only the application to access the database, and denying access from all other hosts.

| username: 这里介绍不了我 | Original post link

Under whitelist control

| username: 江湖故人 | Original post link

True or false, false or true, add a few more honeypots.

| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.