Granting Access to a User from a Remote Machine - MYSQL - mysql

I have a database in mysql and I would like to grant access to a user from a remote machine. How can this be achieved?
Thanks

Usually first thing you need to do is comment bind-address in MySql config file (my.cnf). This settings is blocking communication with database if it's not from the the same address, and restart mysql to apply changes. Also don't forget to open port 3306 on which MySql communicate.
Next you can freely create a new database user, which login will be #'%'.
But beware, if it's a production server, it is not good practice to do this, it is security hole which can be used.

Related

Windows mysql workbench can't connect to remote mysql service

I deploy a mysql service on my company remote develop CentOS machine, I'm sure the service is turn on, and it can be access from an other reomte linux machine.
However, I can't connect it from my own Windows PC. I tried mysql workbench client and HeidiSQL client, both failed. I can ping through the remote IP address. I have tried anything I can found on google. Like
add bind-address = 127.0.0.1 to cnf file, and comment out the skip-networking.
I also tried the answer on another question Can't connect to remote server using MySQL Workbench on mac, which allow all machine can access to the service.
But my PC still can't connect to it, which report code 10060 error. So what should I do?
That bind-address = 127.0.0.1 config option means that your mysql server only accepts connections from the localhost, which is your actual CentOS machine. Make sure to set bind-address = 0.0.0.0.
Also, make sure that:
you have connectivity from your windows machine to the CentOS one
no firewall blocks the external connections to the local mysql port
Regarding potential security concerns from opening your mysql instance to the whole internet - first make it work, then make it better
I had the same issue here man,and i discovered that we need to create a user that isnt the root user. I my case, i don't know why yet, the issue was that.
The solution
Steps:
1 - Check the firewall (create a rule for port 3306 or disable it).
2 - Comment the line # bind-address=0.0.0.0 at [mysqld] config optin in C:\ProgramData\MySQL\MySQL Server 5.7\my.ini
3 - Create the user to remote access:
mysql> CREATE USER 'net'#'%' IDENTIFIED BY '123';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'net'#'%' WITH GRANT OPTION;
In my case, solved.

MySQL unable to connect with remote server

We have a MySQL server in one of the remote Virtual Machine (Windows Server 2008). Till yesterday we were able to connect to the MySQL server, with the help of workbench installed in our local machine.
Yesterday there was a restart to the machine which has the Virtual Machine installed. After that we are unable to connect to MYSQL. Though I can ping and remote connect this particular VM. I can even execute the queries inside the workbench installed in the VM.
I am not too good at networking or security related stuffs. Please help me to solve this issue.
Error :
Your connection attempt failed for user 'root' from your host to server at ABC:3306: Can't connect to MySQL server on 'ABC' (10060)
Really this could be a magnitude of possible reasons, hopefully this is a start:
Check basic network
From the MySQL virtual machine open up a command prompt and type IPCONFIG /ALL. This will show you all the IP addresses bound to different network adapters.
Check that the IP address you're connected to is listed there, the virtual machine might have got a new IP from DHCP rather than having a static IP after its restart.
Hostname vs IP
You should check the hostname resolution, from your quoted error it would suggest you are you are connecting to a hostname rather than a server IP. Check your machine can resolve to the hostname using the correct IP address - it could also be worth changing the hostname for the actual IP of the server in the connection string.
MySQL config file
You've said you're running MySQL on Windows, it was customary to rename the my.cnf to my.ini. The configuration file for older versions of MySQL previous to 4.1.5 was usually stored in either c:\my.ini or c:\windows\my.ini. For versions after this the default location is the installation directory usually %PROGRAMDATA%\MySQL\MySQL Server xxx.
When you have located the configuration file please open it on Notepad (or similar text editor), locate the [mysqld] section and make sure that port= the port you're trying to connect to and bind-address= the IP address you're trying to connect to.
Server ports
From the MySQL virtual server open a command prompt and type netstat –ano, this will show you a list of processes and what IP's / ports they are listening on. The MySQL server should be listed here and should be listening on the same port and IP as the config file defines.
Windows firewall
You should have a firewall rule to allow MySQL, the following will add one on the default port of 3306
netsh advfirewall firewall add rule name="MySQL Server" action=allow protocol=TCP dir=in localport=3306
Identify if this is machine specific
You could setup the MySQL Workbench application on another workstation and try to connect to identify if this is a global problem or just one related to your specific workstation.
mysql administrator of your database should allow remote connection to the mysql server.
change this in my.cnf:
bind-address = 127.0.0.1 # this shoul be your mysql server ip
and comment this:
# skip-networking
Chances are that your configuration was set up for an IP that has changed. By default, mysql won't let you connect from remote hosts unless you explicitly give permissions for a specific user on a specific schema or a group of schemas, for example if you did something like this:
GRANT ALL PRIVILEGES ON *.* TO 'USERNAME'#'1.2.3.4' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION;
Maybe what you actually did was to set the grant onto your own IP address, that is the address of your local machine, and if your local machine (not the remote server) has changed it's IP address, then mysql will not let you connect unless you have the "1.2.3.4" IP address which obviously you don't have anymore if you have a dynamic IP address (common with DSL/Cable connections)
So connect through SSH or Telnet or whatever you use to your windows server and go to mysql as root and do this:
SELECT * from information_schema.user_privileges;
That will show you the grants on all users and how they are allowed to connect. If you don't see your local IP Address listed there or a wildcard (which would allow you to connect from any remote machine to the server) then you have to set it up like this:
GRANT ALL PRIVILEGES ON *.* TO 'USERNAME'#'%' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION;
Where USERNAME of course is your user. See that after the on there is a wildcard / dot /wildcard that means you want that user to be able to connect to any schema (database, for mysql) from any user from any network. But I'd recommend that you only do the grant for the user for the specific schema you need to connect to.
Then after that, if you actually had the right information and still can't connect than use a portscanner like nmap or something like that to do a port scan and see if mysql is:
Open and listening to external network
Running on the port that you actually want to connect through
If 1 is true, then check 2 because maybe there is a misconfiguration of the port. But if any of these 2 points do work then it sounds definitely not like a network configuration but a user setting or something else.
GRANT ALL ON *.* to user#'%' IDENTIFIED BY 'password';
this command should do the trick for all users #Gustavo Rubio has already given the proper explanation.
To ensure what ports are open run cmd in the virtual machine and type.
netstat -a
TCP 127.0.0.1:3360 Hostname:3360 LISTENING
The my.cnf is located Mysql-install-path\MySQL\MySQL Server xxx make sure you backup original before changing
Can't connect to [local] MySQL server
Testing The MySQL Server Installation on Microsoft Windows
MySQL Workbench: Manage MySQL on Windows Servers the Windows way
For the first time you need to test and make sure your connection to mysql is not blocked by the firewall.
To disable the firewall on each host in your cluster, perform the following steps on each host.
1. Save the existing iptables rule set.
iptables-save > /root/firewall.rules
2. Disable iptables.
For RHEL, CentOS, Oracle, and Debian:
chkconfig iptables off
and
/etc/init.d/iptables stop
For SLES:
chkconfig SuSEfirewall2_setup off
and
rcSuSEfirewall2 stop
For Ubuntu:
service ufw stop
https://www.cloudera.com/documentation/enterprise/5-7-x/topics/install_cdh_disable_iptables.html
Depends on your setup, but if you're using cPanel just go to RemoteMYSQL and enter your host. You can also use a wildcard. Below worked for me when I was getting the error
"Could not connect to DB server '' as user ''. port : Host '' is not
allowed to connect to this MySQL server"
On MySQL v5.6 this may be the case.
When another server communicate by advertising its hostname instead of IP address, the resolution might fails (because your user is using IP address instead of hostname for example).
So, you need to disable the following,
skip-host-cache
skip-name-resolve
Or maybe create the user with appropriate hostname (instead of IP address). You may find the hostname when establishing the connection to the remote MySQL.

Access remote MySQL server without editing my.conf

I want to connect my Django app (hosted on a VPS) to a database hosted on another server with more memory, so I can run stuff and add things to the database without the risk of it getting killed for using too much memory on my VPS. The things I've seen about this (e.g., How to connect to MySQL server on another host?) all involve editing my.cnf and changing the bind-address line. I a)don't have root privileges to do this, and b)don't want to expose other users' MySQL dbs to potential security risks. I tried editing ~/.my.cnf to change the bind-address thing, but that doesn't seem to work.
I also found http://www.rackspace.com/knowledge_center/article/mysql-connect-to-your-database-remotely, which suggests creating 'user'#'remote-ip-address' and then granting that user permissions. I tried that, but I keep getting ERROR 2003 (HY000): Can't connect to MySQL server on '(the server's address)' (110) when I try mysql -u username -p -h (the server's address).
I have access to the root user for MySQL, but no other admin privileges on the server where I want to set up the database. Is there any way to configure things so Django can access this remote db without directly editing /etc/mysql/my.cnf?
The bind-address doesn't specify which IPs can connect to that server, but which address is MySQL listening to. So, just set it to 0.0.0.0 and it will work. Please make sure you've got a user account with that address. Check mysql.user table.
Addressing the root-access thing:
* If you installed mysql manually, you've got root access.
* If you didn't install mysql manually, but it's a service provided by the VPS hosting, then the bind-address should be 0.0.0.0 (or at least not 127.0.0.1). If it's not the case, contact them because they're screwing up pretty bad.
Hope it helps.
EDIT, CLARIFICATION:
MySQL bind-address is not a security constraint. If you want to allow some addresses to connect to the server you should create/grant users with the that address specified, like this
CREATE USER 'bobdole'#'192.168.10.221';
Rather hacky, but I think this should be possible with MySQL Proxy listening on an unprivileged port on the public IP, proxying all queries to the mysqld which is running locally.

MySQL TCP Connection

I have a MySQL Database which I want to connect to from a different computer, preferably using TCP/IP. What is the easiest way to do this. Currently I have tried just putting the IP address of the computer in, and it comes up with Error #1130, which is no help.
Any nice easy ways to do this?
Make sure "skip-networking" is not in your my.cnf file (restart MySQL if it is after changing it), and that you've created a user with permissions to connection from your remote host. Something like:
GRANT SELECT,INSERT,UPDATE,DELETE ON mydb.mytable TO "myuser"#"myotherhost" IDENTIFIED BY "somepassword";

Restrict access to MySQL DB through localhost, not through IP?

I'm using MySQL and a web-service connect to the database to read some values.
The web-service and the database are on the same server.
I want to deny access to the database through the public static IP of the server and the port of MySQL.
That means only allow access to the database through localhost, so that only the web-service can connect to it, How to do so ? What configuration for example in MySQL should i do ?
It's not possible to restrict access to mySQL to specific applications as such.
You can, however, create a user account (e.g. named webservice) that is restricted to connect from 127.0.0.1 - that's the best you can do as far as I know, and should be totally sufficient.
There is no way to restrict access to only the web-service. You can restrict it to just applications running on the same host. To do this, create a new user with a host of either 127.0.0.1, or localhost should also work. You can either do this graphically or through the command line:
CREATE USER 'webservice'#'localhost' IDENTIFIED BY 'webservicepassword';
// Grant privileges here...
// For example, GRANT ALL PRIVILEGES ON *.* TO 'webservice'#'localhost' - but it's a far better idea to restrict access to only what it needs...
You can also limit traffic to your MySQL database from only the localhost at the TCP layer. I'm not sure the pros and cons of this method versus using the MySQL database permissions.
https://www.thegeekdiary.com/understanding-tcp-wrappers-in-linux/
In the /etc/hosts.allow, add:
mysqld: LOCAL
This whitelists the localhost to have access to the database daemon. You can use a comma separated list of IP addresses and hostnames that are also allowed.
In the /etc/hosts.deny, add:
mysqld: ALL
This denies access to the daemon to anything that was not whitelisted.