Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Opening MySQL to the Internet
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Opening MySQL to the Internet

raindog308raindog308 Administrator, Veteran

Under normal circumstances, I would never have MySQL listening on the Internet. And if I did, I would use iptables to lock down who could access it.

However, I have a DB my VPSes access, and that I also want to access at home and on the road. The latter is the problem - my IP is always changing, so I can't determine which IPs to allow in iptables. And yes, it's direct access - a program that makes MySQL SQL calls.

After thinking about it, I'm not sure there's a way around just opening MySQL to the Internet. I can put it on a nonstandard port so it's not so obvious, and of course all accounts will have good passwords, remote root won't be allowed, but...it still seems dangerous to me.

Am I just paranoid?

Comments

  • Make sure you have SSL setup for your MySQL connections if you're going to connect over the Internet.

    But what I would do is setup a VPN on the server and go through that. OpenVPN is pretty easy and lightweight, especially for a single user connection.

  • Default cPanel installation came open mysql port think maybe 80%+ of non pro hosting users is leave it that way

  • jarjar Patron Provider, Top Host, Veteran

    +1 for VPN :)

    Thanked by 2Droid netomx
  • said: it still seems dangerous to me.

    This is what VPN's were designed for! Could you use one (like Tinc)?

    Thanked by 1ehab
  • Or use an ssh tunel to redirect the ssh port on the server, binding only on localhost to a port on your own machine.

    something like:
    ssh -L LOCALPORT:127.0.0.1:SERVERPORT user@host

    then open only ssh on iptables..

  • Dr.Colin Percival's spiped comes to mind.

    He's also the FreeBSD chief security officer.

    It's much simpler than public key based approaches. Just a symmetric encrypted unix pipe that handles flaky network conditions too.

    in-use : http://mthology.kinja.com/spiped-encrypted-and-authenticated-pipes-1099321126


    Advantages (as described by crypto pro Thomas Ptacek) https://news.ycombinator.com/item?id=7540288 :

    ` * Does not require you to set up or trust a CA.

    • Does not require X.509 processing, which is a huge source of TLS implementation bugs.
    • Uses secure-by-default ciphersuite which, unlike TLS's, was designed after the most important work in authenticated encryption was published.
    • Does not include legacy ciphersuites with known flaws.
    • Mutually authenticated without invoking TLS corner case subprotocols like client certificates and session resumption.
    • Small enough to be auditable. `
  • MaouniqueMaounique Host Rep, Veteran

    what @vimalware describes looks pretty neat, but a ssh tunnel would still be a robust proven solution and works on all platforms.

    Thanked by 2vimalware ben78
  • I particularly like spiped for server-to-server connections.
    Prefer it over using mysql's SSL support.(via openssl)
    After heartbleed, everyone should be wary of huge complex infrastructure codebases.

    Thanked by 1ben78
  • raindog308raindog308 Administrator, Veteran

    Thanks @vimalware !

    Thanked by 1netomx
  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    vimalware said: After heartbleed

    Heartbleed would not affect a ssh tunnel in this case, and even if there are possible attacks, such as against mschap2 in pptp, who would put up the infrastructure to intercept such things and get what? His plain text tcpdump?
    No, in this case he wishes to defend against automated/bruteforce stuff and for this a ssh tunnel is more than enough, ubiquitous and compatible with everything.
    In security stuff you know your adversary and defend against their possibilities of attack and also proportionally with the possible loss in case the defenses are breached.
    Setting up an unusual or too complex security takes time and resources, might be incompatible or otherwise not suitable for the purpose or hit some unexpected roadblocks and, as you very well pointed out, enlarges the surface of attack, in some cases exponentially.
    That being said, everyone with his own, ultimately, there is no perfect, nor best solution, not to mention a generally best or perfect one. What I consider complicated to setup and admin is a breeze for others which do that every day 10 times, hit all the possible quirks and bugs, and the other way around.

    Thanked by 1vimalware
  • @Maounique said:
    Heartbleed would not affect a ssh tunnel in this case

    I was referring to OpenSSL, as you must have realized by now.

    Setting up an unusual or too complex security takes time and resources, might be incompatible or otherwise not suitable for the purpose or hit some unexpected roadblocks and, as you very well pointed out, enlarges the surface of attack, in some cases exponentially.

    spiped is 4000 LoC of C ; Hence very auditable. That's the primary argument for spiped over the comparatively obese OpenSSL.

    It's correctness can be verified by a handful of C-fluent programmers.

    Also, according to reports, people have been running it in production for hundreds of days, without any hiccups.
    It just works.


    [copy-pasta-from-users]
    * One doesn't have to worry about setting up unix users, and each node 'config' is only 1 shared keyfile.

    * If a node is compromised, I can cut it off with one move ( changing the shared key )

    * The spiped tunnel is highly reliable and recovers more gracefully than a standard SSH tunnel.(one would need autossh in the latter case)
    (why: https://news.ycombinator.com/item?id=7539853)

    [/copy-pasta-from-users]

    Spiped's genesis story has more reasons: http://www.daemonology.net/blog/2011-07-04-spiped-secure-pipe-daemon.html

    Earlier, I was against stuffing my stack with unnecessary 'non-standard' components, as I was taught by best practice. But listening to enough crypto people who deal with openSSL bugs all the time(even before Heartbleed hit), has convinced me that, there is probably a time and place for re-stocking a broken security toolbox.

    One pet peeve I have, is that you have to check the spiped mailing list to find the checksum hashes to verify the source code downloads(served over http).

    Fun story: Everyone thought Colin was unnecessarily paranoid when he setup HTTPS like this(in 2009): http://www.daemonology.net/blog/2009-09-28-securing-https.html

    Now if I only had enough time+willpower to replace all my openssh forwarding tunnel hacks with spiped.... :D #hypocrite

  • raindog308raindog308 Administrator, Veteran

    FYI, I had the pleasure of interviewing Colin for a magazine article. Very sharp guy. He certainly knows what he's doing when it comes to crypto and coding in general. I use tarsnap a bit and it's awesome as well.

    That said, I'm not 100% certain spiped will work because I want to connect to the DB from a couple shared hosting accounts, where I can't run a daemon but can run a MySQL client. Hmmm...since those are usually fixed IPs, I suppose I could open MySQL just to those two via iptables, then everyone else use a tunnel...though maybe I'll be lazy and setup some kind of fail2ban for mysql logins.

    Thanked by 1vimalware
  • NeoonNeoon Community Contributor, Veteran

    SSH Tunnel would be one way.

  • @coolice said:
    Default cPanel installation came open mysql port think maybe 80%+ of non pro hosting users is leave it that way

    The port is opened to the internet but cPanel users have to configure allowed hosts first.

  • use a VPN :D

  • Just open it to the Internet, use SSL and strong passwords. That's what I'm doing (also 'cause I'm lazy) and nothing dangerous happened yet.

  • tomletomle Member, LIR

    I guess one option could be to use port knocking but I agree that VPN would be a nice option in those cases where you're not sure what IP you will have.

  • Yeah VPN or SSH sounds like the easiest and most secure way.

    coolice said: Default cPanel installation came open mysql port think maybe 80%+ of non pro hosting users is leave it that way

    Not all users can access it though?

  • MaouniqueMaounique Host Rep, Veteran

    @Makkesk8 said:
    try using http://www.noip.com/ ?

    How would that help?

    1. VPN/tunnel
    2. phpmyadmin
  • linuxthefish said: Not all users can access it though?

    IIRC it can be disabled by the administrator on an account by account basis. Even when enabled for accounts the user needs to allow access host by host from the panel.

  • @raindog308: VPN, unquestionably. If you absolutely have to have MySQL Accessible over the internet, then a VPN is your only way to go.

  • Tinc

    Thanked by 1trewq
  • trewqtrewq Administrator, Patron Provider

    @Mun said:
    Tinc

    I was about to say this. Tinc is becoming my favourite thing ever. I'm going to write a few tutorials for it but overall it's pretty easy to get a basic mesh network going.

  • coolicecoolice Member
    edited November 2014

    @kcaj said:
    The port is opened to the internet but cPanel users have to configure allowed hosts first.

    yes and Host % wildcard can be allowed from someone and you cannot stop him to do it

    @linuxthefish said:
    Yeah VPN or SSH sounds like the easiest and most secure way.

    Not all users can access it though?

    All users unless you hide feature from cPanel for some packages

    My answer is with the point OP last statement - too paranoid, :) If this is commercial project I'll always vouch for good security or if he do not trust the ISP - simplest solution will be to ssh tunnel to vps and mysql bind allowed on localhost and browser connection going trough that tunnel...

    but surely it is too paranoid to Implement strong security for the remote database connection and then after finish working on MySQL... OP just to open his personal blog which do not have ssl and edit posts ... damage that can be done if somebody sniffing the data is equal ...

    Hope others got my point (English is not my native language)

    Thanked by 1vladka24
  • @raindog308 said:
    That said, I'm not 100% certain spiped will work because I want to connect to the DB from a couple shared hosting accounts, where I can't run a daemon but can run a MySQL client.

    Looks like mysql+SSLonly with strong passwords is the path of least resistance for this stack.

    Preventing brute force with fail2ban/denyhosts is contingent on your shared lamp-host allowing you to create ssh tunnels using cron.

  • use vpn and add vpn ip to iptables only proper solution

    or use your home computer via teamviewer

  • Maounique said: Who's General Failure, and why is he reading my drive A: ?

    He's the commander of Major Failure. Get him out of there before he brings in Fatal Error.

    Thanked by 1netomx
  • I use CSF to allow only certain IP addresses to connect to port to 3306. I found it easier as I'm dealing with several client servers.

    I have the following in /etc/csf/csf.allow. The IP 192.168.1.13 is the remote server that is connecting to the MySQL server.

    tcp|in|d=3306|s=192.168.1.13
    

    Also, make sure that port 3306 is not in TCP_IN in /etc/csf/csf.conf.

    You could also use a VPN to do it (although, I'm not sure if that'd work if your using something like PHP). Here's a quick tutorial on how to set it up on the client server and here's a quick tutorial on how to setup a VPN server (running CentOS 6).

Sign In or Register to comment.