Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


MariaDB + PHPMyadmin - Good idea to allow a user from all IPs and use IPTable to block?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

MariaDB + PHPMyadmin - Good idea to allow a user from all IPs and use IPTable to block?

I have a MariaDB + PHPMyAdmin installed as a dedicated DB server and multiple front-ends to point to the same DB server. As such I would like to set up a DB user with no restriction in IP (i.e., the host field can be anything) and use IPTables to make sure only my frontend servers could access the MariaDB installation on the DB server.

My questions are:

  1. Is this set up secure?

  2. Does open up port 3306 would be enough?

  3. If I do the following:

iptables -I INPUT -p tcp -m tcp -s MY FRONT END IP --dport 3306 -j ACCEPT

Would this block off the access for the PHPMyAdmin on my localhost? Do I have to add an entry for IP 127.0.0.1 as well?

Comments

  • Is this set up secure?

    Until someone disables iptables.

    Does open up port 3306 would be enough?

    That should be all you need for DB access

    Do I have to add an entry for IP 127.0.0.1 as well?

    Local applications are likely using a socket. If yours are, then no.

    Thanked by 1zhuanyi
  • I'd recommend you to set up a VPN (e.g. tinc) between the db-server and the frontend-servers.

    Why set up a VPN?

    • By default, the traffic of MySQL is not encrypted. Sending (sensitive) data from a database in plain over the internet is not a good idea.
    • Access can be restricted further (to only VPN-clients)

    Then bind mysql to the VPN-subnet and restrict access to the db-server only to the VPN-IPs. (iptables)

    Additionally, you can use CIDR notation (10.0.0.0/29 for 6 hosts) for the host-part of the mysql-user. (see: http://dev.mysql.com/doc/refman/5.1/en/connection-access.html)

    Hope that helps,
    gehaxelt

    Thanked by 1zhuanyi
  • zhuanyizhuanyi Member
    edited September 2014

    @gehaxelt The VPN idea sounds great, but is there any overhead associated with this? And do you happen to have a good tutorial on this? Thanks a bunch.

  • @zhuanyi,
    I'm running the described set up and the overhead is minimal.

    I think a DO-tutorial about tinc will help a lot :) https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04
    Otherwise the tinc-wiki may help too: http://www.tinc-vpn.org/

    Best regards,
    gehaxelt

    Thanked by 1zhuanyi
  • There is SOME overhead (some CPU overhead, and some network created by the slightly larger packets.) You can offset the network overhead with compressed queries, however this is bad for encryption. The CPU overhead is minimal, and has to do with the encryption and decryption on either side.

    Thanked by 1gehaxelt
  • GoodHosting said: bad for encryption.

    Why is this bad for encryption?

  • MunMun Member
    edited September 2014

    @GoodHosting said:
    There is SOME overhead (some CPU overhead, and some network created by the slightly larger packets.) You can offset the network overhead with compressed queries, however this is bad for encryption. The CPU overhead is minimal, and has to do with the encryption and decryption on either side.

    And you are an idiot. I use tinc and literally there is no overhead ~1% cpu with tons of traffic on it.

    The only time there is issues is when you run through a virtualization. The CPU load increases because the CPU has to do the work instead of the nic card.

    I was using over 100mbps and I was seeing around 50% usage on a single core KVM.

  • @Silvenga said:
    Why is this bad for encryption?

    A good example is http://en.wikipedia.org/wiki/CRIME

    Although this doesn't DIRECTLY apply to your MySQL data.


    That being said, if an attacker could sniff the traffic, and could run arbitrary commands (such as requesting various things from your website); they could in theory enact the same sort of attack on your MySQL server, albeit it would be extremely difficult.

  • GoodHostingGoodHosting Member
    edited September 2014

    @Mun said:

    http://packetpushers.net/ipsec-bandwidth-overhead-using-aes/

    We might be in a different example here, but the premise is the same. You are taking a packet that has to start out less than 1500 bytes in most cases, and wrapping a bunch of stuff around it (+ adding more packet headers); then pushing it into the tunnel. There are of course going to be overheads based on this, as the payload you can fit inside a 1500 byte packet is reduced by everything you have to wrap that packet in.

    The overhead may only be 5% for example, but it is still an overhead.


    ex: http://sd.wareonearth.com/~phil/net/overhead/

    Edit: Oh hey look, the overhead is about 5%.


    I see you're mildly enraged today, starting your comment with "And you are an idiot."

  • @gehaxelt said:
    zhuanyi,
    I'm running the described set up and the overhead is minimal.

    I think a DO-tutorial about tinc will help a lot :) https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04
    Otherwise the tinc-wiki may help too: http://www.tinc-vpn.org/

    Best regards,
    gehaxelt

    Great, I'll try it at home tonight. I have Debian installed on both machines and I am sure the setups would be similar.

  • SilvengaSilvenga Member
    edited September 2014

    Aren't we talking about a VPN? In VPN's, compression and encryption of packets are on a different level. CRIME requires level 7 (HTTP protocol level), packets are encapsulated on level 4 (TCP, UDP). The attacker would have no chance.

    GoodHosting said: could in theory enact the same sort of attack on your MySQL server, albeit it would be extremely difficult.

    It would be easier to get physical access to the host.

    Mun said: I use tinc and literally there is no overhead

    Agreed, I have little to no overhead (I'm also using switch mode). Tinc has no issues with 50Mb/s and uses less than 10% of one CPU (streaming video).

  • No, I am calling you an idiot because you never put this into real world test. By default aes isn't even used. The overhead in regards to some in capital letters is heavily misleading. In this example MySQL will be maxed out way before tinc will.

    Security, are you serious??? The current method he is going with is plain text communication. Tinc at least has native encryption.

    Not to mention by default or at least if you set tinc up properly will automatically lower the Mtu to accommodate that extra info.

    Compression can be turned off by setting it to 0.

  • zhuanyizhuanyi Member
    edited September 2014

    @gehaxelt said:
    zhuanyi,
    I'm running the described set up and the overhead is minimal.

    I think a DO-tutorial about tinc will help a lot :) https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04
    Otherwise the tinc-wiki may help too: http://www.tinc-vpn.org/

    Best regards,
    gehaxelt

    Finally get around to try it out last night, I was able to ping the internal 10.0.0.1 and 10.0.0.2 IPs from each other but when I tried to connect via MySQL in command line by using mysql -h I got a connection timeout error.

    ERROR 2003 (HY000): Can't connect to MySQL server on '10.0.0.2' (110 "Connection timed out")
    

    The DB is definitely turned on as I have a PHPMyAdmin running on the DB server. And I don't have iptables turned on for either one of them. (In fact I uninstalled the IPTable completely in the DB server to make sure it doesn't do anything bad.

    Anyone has encountered something similar before?

    EDIT: Figured it out, had to reboot the DB server for some reason, garhh....now everything works, thanks again @gehaxelt

Sign In or Register to comment.