MySQL · PostgreSQL · MongoDB · Redis

Database security:
detect exposed ports & brute force

Thousands of databases are publicly accessible right now. Attackers scan for open ports 24/7 and launch brute force attacks within minutes. Defensia detects exposed ports and monitors authentication failures in real time.

Get Started Free View on GitHub

What happens when MySQL 3306 is on 0.0.0.0

Within hours of exposing a database port, automated scanners find it. This is what real attack logs look like:

03:14:22Access denied for user 'root'@'185.224.128.xx' (using password: YES)

03:14:23Access denied for user 'admin'@'185.224.128.xx' (using password: YES)

03:14:24Access denied for user 'mysql'@'185.224.128.xx' (using password: YES)

03:14:25Access denied for user 'test'@'185.224.128.xx' (using password: YES)

03:14:26Access denied for user 'db'@'185.224.128.xx' (using password: YES)

03:14:27Access denied for user 'root'@'92.118.36.xx' (using password: YES)

03:14:28FATAL: password authentication failed for user "postgres" (client: 45.33.xx.xx)

03:14:29Authentication failed from client 103.205.xx.xx on database admin

These are real patterns from production servers. Attackers try common usernames (root, admin, mysql, test) with dictionary passwords — thousands of attempts per hour.

Port exposure detection at startup

The Defensia agent scans critical database ports the moment it starts and alerts you if any are publicly accessible.

3306

MySQL / MariaDB

Default MySQL port. Most attacked database port on the internet. Credential stuffing and empty-password exploits.

5432

PostgreSQL

Default PostgreSQL port. Attackers target trust authentication and weak pg_hba.conf configurations.

27017

MongoDB

Default MongoDB port. Thousands of exposed instances with no authentication — ransomware target.

6379

Redis

Default Redis port. No authentication by default. Attackers write SSH keys or cron jobs for RCE.

If any of these ports are bound to 0.0.0.0 instead of 127.0.0.1, Defensia creates a security advisory in your dashboard with remediation steps.

What Defensia detects

The agent monitors database authentication logs and detects brute force patterns in real time.

DatabasePatternLog source
MySQLAccess denied for user (brute force)mysqld.log / syslog
MySQLHost blocked after too many connectionsmysqld.log / error.log
MySQLAborted connection (protocol mismatch)mysqld.log
PostgreSQLFATAL: password authentication failedpostgresql.log
PostgreSQLFATAL: no pg_hba.conf entry for hostpostgresql.log
PostgreSQLConnection from untrusted IP rejectedpostgresql.log
MongoDBAuthentication failed on databasemongod.log
MongoDBUnauthorized connection attemptmongod.log

Supported databases

Full log monitoring for the most common databases, plus port exposure detection for all.

FULL PROTECTION

MySQL / MariaDB

Full auth log monitoring, brute force detection, and automatic IP blocking after repeated failures.

Port 3306
FULL PROTECTION

PostgreSQL

Monitors pg authentication logs. Detects password failures, rejected hosts, and trust misconfiguration.

Port 5432
FULL PROTECTION

MongoDB

Monitors mongod auth logs. Detects failed authentication and unauthorized connection attempts.

Port 27017
PORT CHECK

Redis

Port exposure detection and advisory. Alerts if Redis is bound to 0.0.0.0 without authentication.

Port 6379

How it works

Install the agent and database protection starts automatically. No configuration needed.

1

Install the agent

One command. The agent installs as a systemd service and starts immediately.

2

Port scan on startup

Defensia checks ports 3306, 5432, 27017, and 6379. If any are bound to 0.0.0.0, you get an advisory alert.

3

Auto-detect database logs

The agent locates MySQL, PostgreSQL, and MongoDB log files automatically. No configuration required.

4

Monitor and protect

Failed authentication attempts are detected in real time. Repeat offenders are blocked via iptables/nftables.

5

Dashboard visibility

All events appear in your Defensia dashboard — attack timelines, blocked IPs, and port exposure advisories.

Quick install

curl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token YOUR_TOKEN

Works on Ubuntu, Debian, CentOS, Rocky, AlmaLinux, Amazon Linux. 40 MB binary, zero dependencies.

Frequently asked questions

How do I know if my database is exposed to the internet?

Defensia scans ports 3306 (MySQL), 5432 (PostgreSQL), 27017 (MongoDB), and 6379 (Redis) at agent startup. If any port is publicly accessible, it creates a security event and shows a warning in the dashboard.

Does Defensia protect MySQL from brute force?

Yes. Defensia monitors MySQL authentication logs for repeated failed login attempts and automatically bans attacking IPs using iptables. The same applies to PostgreSQL and MongoDB auth failures.

What databases does Defensia protect?

MySQL, PostgreSQL, MongoDB, and Redis. Defensia detects exposed ports at startup and monitors authentication logs in real time for brute force patterns.

Should I expose my database port to the internet?

No. Databases should bind to localhost (127.0.0.1) or use SSH tunnels for remote access. If exposure is unavoidable, Defensia detects and blocks brute force attempts, but the best practice is to never expose database ports publicly.

How much does database security cost with Defensia?

Database port scanning and brute force detection are included in Defensia Pro at €9/server/month. The free plan includes SSH protection and the dashboard.

Also explore

SSH Brute Force Protection

15 detection patterns, ipset blocking.

Email Server Security

Postfix, Dovecot, and Roundcube protection.

Linux Server Security

Full protection overview.

Stop database brute force attacks

Free tier available. Install in 30 seconds and know if your databases are exposed.

Get Started Free