I have a situation, where I have a computer with multiple IP's, the computers primary IP will never change, but all the secondary IP's will.
I connect to a remote MYSQL computer and I have access granted based on my IP address. Sometimes, my PC likes to select one of the secondary IP's.
I looked in to the "Set As Source" flag and tested that solution, but what happens is, that I can't select those extra IP's for outbound communication.
Dim IPS As IPAddress() = Dns.GetHostAddresses(Dns.GetHostName())
Any IP with the "set as source" = false - won't be returned with the above code.
So how would I get around this dilemma? I can't seem to find a solution, with socket progamming I can bind any IP I want, but I don't see a way to do this with a mySQL connection.
Anyway, I was able to accomplish this by adding a second NIC on the Server and putting the single IP on 1 NIC and all the other IP's on the second NIC. Then putting in a route that forces the traffic through the Primary NIC interface to MySQL.
Without two NICS, you can't select which IP it uses, But with two you can assign the routes to either NIC (Interface).
Related
As a preamble, I have developed my own CRM (something like SalesForce or SAP) of a much much lower "scale" as it is oriented for services, not sales. I use MySql or MariaDB (preferred now) on Ubuntu 16.04 server to save all data.
I have always used the MySQL or MariaDB server public IP address as the binding address in my.cnf, and it all has worked fine for years. But sometimes it just stops allowing communication from the outside world (It allow connections locally), when it does it does not allow outside connections anymore until I change the binding IP to 0.0.0.0 or:: then it all works. So the question is, what happens? I am also a little concern about using 0.0.0.0 (ipv4) or:: (ipv6) for the binding address because I am not sure if there is any higher security risk when doing this.
I do run a Master to Master connection and the second Master do have the public address as the binding address and it is working fine.
The Ubuntu internal firewall is disabled as I rely on another firewall for it. I have disabled this firewall for a few seconds for testing but the problem persists. I do use Fail2Ban for Linux but nothing is being blocked.
What do you guys think might be causing the change in behavior (not allowing external connections)?
Is there any benefit of using the Public IP address as the binding address?
What are the risks of using 0.0.0.0 for the binding address instead of the server public address?
Is it better to use :: than 0.0.0.0? what are the benefits?
Thanks in advance!
Check your mysql database User and Db tables. You MUST have a proper GRANT for the external IP your a re trying to reach from. You will need something like
GRANT ALL ON <database>.* TO 'externaluser'#'external_ip' IDENTIFIED BY 'whatever';
Otherwise, MySQL will not allow access
We can create users in MySQL which are allowed from a particular IP or range of IPs. For e.g, CREATE USER 'username'#'IP' IDENTIFIED BY ...
Here if I give a particular IP, it means users from that IP only can access MySQL.
Now there is a need of a load balancer (HAProxy) on top of many MySQL nodes behind it. The issue is : When a request comes from HAProxy to MySQL, it is the HAProxy's IP which comes to MySQL. So the way I want to use the IP while creating a user, doesn't work. My question is particularly with this USE-CASE only and I would like to know is there any solution for it ?
You have to create a user with the haproxy IP since DB traffic will be coming from there.
Instead of specific IPs, you can also opt for wildcard IPs e.g. user#10.10.10.%. Users can access MySQL from machines with IPs starting from 10.10.10. If both the DB and haproxy machines are on the same network (10.10.10.x), you only need to create one account.
Explore more options in the documentation: https://dev.mysql.com/doc/refman/5.7/en/account-names.html
If you decide to fully transition the users to use the proxy to access mysql, you can change the host of they user account as mentioned here: https://stackoverflow.com/a/12045483/255523
Consider a MySQL server that accepts remote connections.
What happens if you have a publicly facing MySQL server, and grant access to e.g.:
'sqluser'#'localhost'
If an attacker now sets his rDNS to "localhost", will he able to access this database?
Is there an extra check that also tries to resolve the rDNS back to the IP?
Regardless, database servers shouldn't be internet facing, but this a what-if-question.
It appears that MySQL uses forward-confirmed reverse DNS (FCrDNS) to counter these kind of attacks.
Most of the logic for the hostname checks can be found in sql/hostname.cc. Moreover, several checks are also performed to make sure that the rDNS doesn't contain an IP or is otherwise poisoned.
How is the host for a MySQL user evaluated by the database? My server tries to connect to the database from myhostname but fails even though I've set the hostname for that server in /etc/hostname It does work when I use an IP though.
The user was created like so:
GRANT ALL ON db.* TO 'dude'#'myhostname';
The MySQL error will tell you the hostname the server machine thinks your user is connecting from. Depending on DNS settings, this may or may not be the hostname your client thinks is assigned to itself. The name as seen from the server is the one you need to set in your GRANT statement.
(Which is logical. Suppose I know that the server gives privileges to host Alice. I have host Bob. Since it's my host, I can change its name to Alice. If just doing this granted me Alice's privileges, the whole GRANT scheme would be completely insecure! What happens is that my host thinks it's Alice, but the server sees my IP, asks the DNS "Who is this?" and receives "He's Bob". I still can steal Alice's privileges, but I need to compromise the DNS records somehow)
In a pinch, add the client IP and hostname to the server /etc/hosts file. This is a hack, however, and proper DNS setting is the way to go: a forgotten hosts hack might cost you a long time of head scratching a few months down the road.
As explained in DNS Lookup Optimization and the Host Cache from the MySQL manual:
The server performs host name resolution using the thread-safe gethostbyaddr_r() and gethostbyname_r() calls if the operating system supports them. Otherwise, the thread performing the lookup locks a mutex and calls gethostbyaddr() and gethostbyname() instead.
Therefore the resolution of the connecting IP to myhostname is a matter for the operating-system, rather than MySQL. You should first determine that your OS is correctly resolving the client IP and, if not, debug your OS or nameservice configuration (questions on this subject might be better directed to Super User or Sever Fault, rather than StackOverflow).
I went through these instructions:
http://docs.amazonwebservices.com/AmazonRDS/latest/GettingStartedGuide/
But still can't connect to the database using mysql from the command line.
I even tried:
telnet xxxxxxx.clpkcufglfdn.us-east-1.rds.amazonaws.com 3306
but that doesn't connect either.
I did set up the DB security group using the CIDR suggested by the console (I hope it give me the right value).
Update: Firewalls are disabled on my end. It would be odd if amazon had firewalls on their end and wouldn't mention it in their documentation.
Update2: I'm behind a wireless router which had assigned my machine the IP of 10.0.0.2 so I tried adding that to the security groups but still can't connect.
Update: Firewalls are disabled on my end. It would be odd if amazon had firewalls on their end and wouldn't mention it in their documentation.
Amazon's security groups are a firewall.
I did set up the DB security group using the CIDR suggested by the console (I hope it give me the right value).
If it's not the IP you're connecting from, it's not the right value.
Sounds like you have a firewall that is dropping your connection. Either it is on your end or Amazon's end; probably need to talk to your IT group and if that isn't the issue then Amazon's group to see if you missed a step.
If you are trying to access a RDS instance from within the same AWS datacenter you need to specify a local internal IP address (i.e. 10.x.x.x) and not the public dns/ip as your connection simply doesn't go out of the lan
You can find the local IP address of your EC2 box by typing: ifconfig OR checking your login name (i.e. ubuntu#10.x.x.x)
I didn't find this anywhere and wasted a lot of time. I hope this helps!