Recently I was trying to convince my hosting provider to secure my remote connection to MySQL. Their reply was that these connections are by default unsecured and even big players provide only unsecured remote connections to MySQL. I did a lot of Googling but I was unable to get a satisfactory answer.
If I wish to have my remote connection to MySQL server secure, am I wishing wrong?
Because I believe no remote connection be insecure. Even the latest versions of MySQL Workbench have stopped supporting nonsecure connections.
To make your whole website secure beside your database , you need to issue SSL certificate and make it work under https which is going to encrypt all the data of your website.
in addition , its always good to avoid mysql default port , change it to some other port number than 3306 which makes it harder for attacker to attack your mysql connection.
Related
I'm running Tomcat 7/MySQL 5.6 on Centos 6. It's time to separate the database to another server. What is the best approach to securing the connection between Tomcat and the backend MySQL server. It's Virtualized and I don't want to run the connection open over a shared network.
I'm thinking tunneling through ssh. SSL seems a lot of work. But what's the "recommended" approach?
You're right to be careful about sending traffic over an open network. The MySQL protocol by default is not encrypted at all, so if someone can capture packets on your network, then they can see all your data.
I prefer using either an ssh tunnel or a vpn connection. I just find it easier to configure.
My colleague Ernie Souhrada at Percona posted a couple of really good blog articles about the efficiency of using an ssh tunnel versus using MySQL client options to connect via SSL and bear the overhead of handshaking on every connection.
http://www.mysqlperformanceblog.com/2013/10/10/mysql-ssl-performance-overhead/
http://www.mysqlperformanceblog.com/2013/11/18/mysql-encryption-performance-revisited/
The performance impact of SSL handshake that Ernie reports won't be quite a much of an issue for a Tomcat environment, since you would typically have a connection pool, and therefore new connections would be made less frequently.
The MySql server and client are on the same server. In time, they will be on separate machines. We want to establish secure protocols from the get go.
Does it make sense to require SSL on database connections? Or put another way, is there any reason NOT to use SSL?
If I were you, I'd refrain from connecting to localhost, and instead connect to your local machine by using its explicit hostname. I think you're also wise to use TLS / SSL to connect in this configuration if that's what you're expecting to use when you deploy in production.
You may want to ask yourself whether that's worth the trouble, though. If your app - to - mysqld connection is on a private backend network (as it may be) using TLS / SSL may be overkill. It's called "transport layer security" and it pretty much protects against badguys intercepting data going to and from mysql. Your app system will probably have other vulnerabilities that render TLS protection uninteresting. For example, if it's a web app the mysql password is probably hardcoded in a config file someplace. If the badguy wants to look at your data, he need only grab the password and log in to the mysqld. To keep your info safe you need to keep badguys off your private network.
It's a good idea always to paramaterize the hostname, port number, and production password of your mysql database. If those things are parameterized you can then deploy to a staging or production server system simply by changing those parameters.
We have a building full of computers, each of these computers has a number of ODBC connections setup pointing at a MySQL server at a certain IP address.
We want to move this MySQL server to another machine and we are wondering if there is a way to set something up at the original IP address to redirect any ODBC connections pointed at port 3306 to the new machine.
Some background, both the old and new servers are Windows Server 2003. The MySQL server is part of a legacy system, we are replacing this with a SQL server but the MySQL needs to remain operational for the forseeable future.
The alternative is to spend a day going around each computer and amending the ODBC connection strings, which I will do if I need to but thought I would ask on here first.
Thanks
You have a few options, most of which are network related, not software.
In the future, consider using a hostname rather than an IP address for configuring your ODBC settings. This allows you to utilize DNS to resolve a hostname to any IP address that you want.
Besides that, MySQL proxy may be what you are looking for.
Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.
Hi Thanks for reading my question. I currently use Mac Terminal to use MySQL. I connect to either localhost or a remote server. Should I be using SSH?
You won't need SSH to access a DB on your local machine.
You can use SSH to access a remote DB using MySQL. You can also use an app with a GUI like Sequel Pro to access the remote DB via an SSH tunnel.
What specifically are you trying to achieve?
There is not enough information to answer your question.
Normally SSH tunnels are used more for adhoc work, while preserving high level of security (can be used in production, too).
MySQL normally uses unencrypted traffic, but it can be setup to use SSL, so that's another path you can take.
Other alternatives are VPNs, for example OpenVPN among other solutions, but this is more of an infrastructure decision.
EDIT: For completeness
On local machine clients can communicate with mysqld over socket or local IP. Normally it is not necessary to encrypt such connections.
For remote connections (which are over IP), as stated mysql uses unencrypted connection and FTP by default also uses unencrypted connection. This might or might not be a security risk (if that particular network segment is on its own VLAN or inside already encrypted tunnel or on physically secured network).
If unsure - encrypt it.