I'm configuring my EC2 server. I managed to install php, laravel etc. (with a bit of suffering though). Now I
created an user on MariaDB
granted all permissions from remote
enabled bind-address = 0.0.0.0 in my.cnf
tested local login, works
opened rules in the Security group for Mysql/Aurora, port 3306, TCP, all IPs, both incoming and outcoming
but still can't login from remote, I get
ERROR 2003 (HY000): Can't connect to MySQL server on 'yyz.yyz.yyz.yyz' (110)
What can I do? I don't have any iptables of sort, everything is supposed to be plain simple... but it's not :-(
I'm trying to connect from outside the Amazon network, with this string
mysql -u myuser -pmypwd -h yyz.yyz.yyz.yyz -D myschema
Please notice that from the server itself I can connect using
mysql -u myuser -p -h localhost -P 3306 -D myschema
Thank you
Marco
P.S. For reference, here are my MariaDB users
+---------------------------------------------+-----------+
| host | user |
+---------------------------------------------+-----------+
| % | myuser |
| 127.0.0.1 | root |
| ::1 | root |
| ip-yyz-yy-zz-yyz.us-west-2.compute.internal | root |
| localhost | root |
| localhost | myuser |
+---------------------------------------------+-----------+
EC2 instances have two IP addresses, internal and external.
It looks to me like your user table authorizes access from the internal IP address.
ip-yyz-yy-zz-yyz.us-west-2.compute.internal | root
Are you trying to connect to the internal address from outside AWS? That Doesn't Work™.
If you're trying to connect to the external address, you'll have to add it to your user list.
For troubleshooting but not production, you can add a * | root user.
You can also try https://xyz.xyz.xyz.xyz:3306 from a browser. It won't connect, but if it times out you know there's no route to that address from your machine. If it yields some kind of gibberish, immediately, you know the MySQL port is visible.
good news and bad news.
Good news: I solved the issue!
Bad news: We all were right. It was enough to open the 3306 port in the Security Group. The issue was that - for reasons unknown to me - I kept seing the wrong security group. I logged off, logged in again and saw the right one. Enabled the port 3306 there and - magic - it worked!
Thank you to everybody who spent time in order to help mi fixing this!
Related
I've tried searching left and right and I can't find a solution to my problem. I can connect perfectly fine on my localhost to my docker container's database (simply by connecting to localhost/127.0.0.1/ubuntuip) on dbeaver, but when it comes to connecting to my docker mysql container on the remote ubuntu server (so not the ubuntu running on my computer), it doesn't work.
Things I've tried
Connecting to the ubuntu server ip (by doing "hostname -I";
Connecting to the ip shown when I run "curl http://checkip.amazonaws.com" on the remote ubuntu server (I ssh into it);
Connecting to the docker container ip when I do inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name_or_id on the remote ubuntu server.
None of those worked and I'm getting a bit lost honestly. When I do select host, user from mysql.user on the remote ubuntu server, I get this :
mysql> select host, user from mysql.user;
+-----------+------------------+
| host | user |
+-----------+------------------+
| % | root |
| localhost | mysql.infoschema |
| localhost | mysql.session |
| localhost | mysql.sys |
| localhost | root |
+-----------+------------------+
From what I understand, I should be able to connect to it since I allow any host (this is dev, not prod). I can easily ping my db container, the tables are created fine in it and everything. I just can't connect to it from my Dbeaver.
Any help is appreciated, thanks :)
Fixed it. Just like David Maze said, I had to connect to the same url as the one I used to ssh, but I had already tried that. What I had to do was to also go in the SSH tab on dbeaver and add the host (same url) and select the auth method to "public key" and I selected my ssh key folder (id_rsa) which is located at \\wsl$\Ubuntu-18.04\home\user\.ssh\id_rsa. I left the "passphrase" blank and now it works!
Thanks for the help!
I am troubleshooting a MySQL privileges problem.
I want to connect to MySQL on the local server, but refer to it by it's LAN name (so I can use the same user/pass/host on several web-nodes).
I have included credentials in the privilege tables for both a %.lan and a localhost user.
mysql> select user,host from mysql.user where user = 'mysqluser';
+-----------+---------------------+
| user | host |
+-----------+---------------------+
| mysqluser | %.lan |
| mysqluser | localhost |
+-----------+---------------------+
However, when I try to login, I get the error message
[systemuser#servername.mydomain.com ~]$ mysql -u mysqluser -p -h servername.mydomain.com.lan
Access denied for user 'mysqluser'#'servername.mydomain.com'
Note that servername.mydomain.com.lan does resolve to a 192.168.% IP; i.e. it's in my /etc/hosts file. Moreover, reverse DNS for the IP in question resolves as expected.
[systemuser#servername.mydomain.com ~]$ dig -x 192.168.X.Y
...
;; ANSWER SECTION:
Y.X.168.192.in-addr.arpa. 86400 IN PTR servername.mydomain.com.lan.
If I temporarily grant privileges to 'mysqluser'#'%' and login, MySQL reports
mysql> status
...
Current user: mysqluser#servername.mydomain.com
...
Connection: servername.mydomain.com.lan via TCP/IP
...
Why is the host for my Current user not equal to the host for my Connection?
What I am doing/assuming incorrectly? I should note that my arrangement was working as intended (for weeks), on two farms on a common LAN, then both, independent MySQL instances suddenly started rejecting MySQL connections.
Context
So I'm following the tutorial for securing MYSQL on a Linux machine from DigitalOcean (https://www.digitalocean.com/community/tutorials/how-to-secure-mysql-and-mariadb-databases-in-a-linux-vps) and I am at the section where we are renaming the root user so that it will be more difficult for people to gain unauthorized access to the databases.
After executing rename user 'root'#'localhost' to 'newAdminUser'#'localhost';, I see:
+------------------+-----------+-------------------------------------------+
| User | Host | Password |
+------------------+-----------+-------------------------------------------+
| newAdminUser | localhost | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| root | 127.0.0.1 | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| root | ::1 | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| debian-sys-maint | localhost | *0BA36D18675A3EC9BBA779AAD0C189D798C886B1 |
+------------------+-----------+-------------------------------------------+
Question
Should I be changing the name for the other root users? What effect would this have on my machine - does the machine expect to have these "root" users?
I appreciate your time and assistance!
You can safely remove the 'root'#'127.0.0.1' user since it is equivalent to 'root'#'localhost' (you can still connect to host localhost or 127.0.0.1 using root).
Changing the user name from root to something else provides a marginal security enhancement as a person would already need to have gained access to the system (either locally, or exploited a website and tries to connect from a script).
You can also remove the IPv6 localhost equivalent ::1 if you don't need to connect to MySQL locally over IPv6.
You should not delete the debian-sys-maint account as this is used by the system to perform log related tasks.
As long as you ran mysql_secure_installation and removed root accounts that are accessible from outside the local host it shouldn't really matter from a security standpoint (unless you think someone will have SSH access to the machine, but shouldn't have access to the database).
But I would still change it, just for your own sanity - at some point you may be connecting to the database, and trying to use the newAdminUser, but MySQL sees you are connecting from 127.0.0.1 and so it says "nope, no user newAdminUser for that host, invalid password."
Well, after reading topics with the same name without success I feel forced to ask again and show you my scenario:
I am on a Kali Linux machine, my mysql config file (/etc/my.cnf) is setup this way:
bind-address = 172.16.1.228
I reset the service I can't enter neither remotely nor localy, I got this 2 errors depending on how I access:
root#Adkadon:~# mysql -u root -p -h 172.16.1.228
Enter password:
ERROR 1130 (HY000): Host 'Adkadon' is not allowed to connect to this MySQL server
mysql -u root -p -h 127.0.0.1
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '127.0.0.1' (111)
Note that without the -h 127.0.0.1 I have never been allowed to access.
So, I change the my.cnf and set bind-address to 0.0.0.0.
I access this way: mysql -u root -p -h 127.0.0.1, I do the following:
GRANT ALL PRIVILEGES ON *.* TO root#172.16.1.228 BY ‘root‘ WITH GRANT OPTION;
Again change bind-address to 172.16.1.228 and no success.
This is the output of SELECT user,host FROM user; inside the database:
root | 127.0.0.1 |
| root | 172.1.16.228 |
| root | ::1 |
| debian-sys-maint | localhost |
| root | localhost |
| root | repo
I don't know what do to, any idea¿? Thank you very much
If I guess right, 172.1.16.228 is your IP of mysql server .
'Adkadon' is the host where you try to access mysql from.
If that is the case, get the IP address of Adkadon (ifconfig)
Say if 172.1.16.xxx is your host IP, then in my.cnf mention
bind-address = 172.16.1.xxx
This indicates connections are allowed only from 172.16.1.xxx
Create a user root#172.16.1.xxx
And for connecting to mysql , use command
mysql -u root -p -h 172.1.16.228
Please note, -h 172.1.16.228 indicates where to connect to, not where it is connecting from.
Does it solve your problem? Or am I missing something from your question?
When I try to connect to a local mysql database using it's remote ip-address I get a access denied. When I try to connect to that same database from an external machine, it works without any problems. When I connect to the local database using localhost, it works perfectly as well. E.g., if the database server has the ip 1.2.3.4 then I get the following results:
# From the db server
mysql -u username -h localhost -p #works perfectly
mysql -u username -h 127.0.0.1 -p #works perfectly
mysql -u username -h 1.2.3.4 -p #Access denied
# From any other machine
mysql -u username -h 1.2.3.4 -p #works perfectly
What can I do to allow local access to my database using its remote ip-address? The OS of the database server is Fedora 15 and the MySQL version is 5.5.23.
Try to edit/add bind-address = 0.0.0.0 to your [mysqld] section of your /etc/mysql/mysql.conf.d/mysqld.cnf file and restart MySQL Service.
I found the solution to my problem myself, but I still don't quite understand why it didn't work:
I granted privileges to that user on the hosts % and localhost:
# Before
+-----------------+------------+
| Host | User |
+-----------------+------------+
| % | username |
| localhost | username |
+-----------------+------------+
With these settings I got the results I showed above. When I granted privileges to that user on host it suddenly did work.
# After
+-----------------+------------+
| Host | User |
+-----------------+------------+
| % | username |
| localhost | username |
| <myIpAddress> | username |
+-----------------+------------+
Apparently % does work for remote connections, but not for local connections.
This particular issue can be caused by host name resolution.
I have resolved it in my particular case by deleting this variable from my my.cnf config file:
skip-name-resolve
Either remark the variable by placing a pound sign # or just delete it from your my.cnf after making sure you back it up, of course.