Allowing Remote MySQL connections - mysql

I'm building an Excel app using VSTO / VB.NET and make several connections to a bunch of databases/tables in MySQL which is hosted on a BlueHost account.
Now, they require for the IP address of the inquiring computer to be registered as a 'host', which sounds great for security but given the app will be distributed to a theoretically unlimited number of people on an unlimited number of computers - it's very impractical for me to individually allow each client IP address in my BlueHost account. What's the best way to allow access, on the fly?
The database user/password will already have the correct permissions to the relevant databases etc. It's just a matter of allowing them access to a remote MYSQL connection to start off with.
I've read around SO to use the 'GRANT ALL' SQL Command but I'm not sure exactly when and where to use this. How would you run a SQL command before making a connection to the database; because it is at this point that the connection throws an error..

Take a look at this it has all your info for conecting to remote servers too, Here

Related

setup remote sql server

I've got a small database which is going to be used 1mo/year. I also need a remote access to this database. I have tried dozens of free mysql database servers, but they're all too slow. I mean queries are being executed for ages. For example, it takes 2 mins to execute 10 queries from my Application. What I want is to setup a remote access to my localhost database. I've granted access for '%' IPs, commented bind-address in MySQL config file, but it seems to be working only for local network.
The question is: how do I put my SQL server into the web so anyone could access it using my IP as a host from any location in the world? Is it even possible? At least give me directions how to find an answer. Ty. P.S.: IP is static

Connecting to a database without remote connection

Due to security considerations from my provider, I am not able to MySQL Workbench to connect to my database. The only way to access my database is to use phpmyadmin. Because I'm used to use MySQL Workbench and their tools, it is for me much easier to maintain my database. Using phpmyadmin is annoying, so I'm googeling a solution to use anyway MySQL Workbench. Is there a way to break this security consideration or to connect MySQL Workbench through phpmyadmin to gain access to the database?
If your hosting provided did it recently then I am pretty sure it is must be a response to this terrible security flaw discovered in mysql last month. The attack is as simple as running that one line shell command.
Not all OS/MySQL combinations are vulnerable. In case your hosting company was, then for a few moments - all customers
logins were at stake (including the root login).
To answer your question, unfortunately you can not do much in this case. You cannot do any port forwarding tricks even if you have shell(ssh) access because normally port forwarding isn't allowed in shared hosting environments.
In case you want to try, you can run this command on a unix box
$ ssh -L 3306:localhost:3306 username#yoursite.com
If you can login and don't see any errors related to port forwarding, perhaps your can direct your workbench to localhost on port 3306 and theoretically it should work.
If you are using windows you can use putty to do port forwarding as described here.
I think no. Only changing table Users in MySQL you can access from other IPs and hosts. And this table is not accessible by other users.

Cannot connect to MySQL server over different domains

I'm having a problem connecting to a MySQL server over two different trusted domains.
We're developing an app for internal use and have been using MySQL till now. It's a desktop app written in vb.net.
Up until now all the users were on the same domain and there were no issues. Just recently there was an higher-level decision to split users in 2 different domains for various reasons.
The problem is that users from the new domain cannot access the server. If that helps, I was told by the administrators that the users from both domains are trusted. Both machines are running Windows Server - 2003 and 2008.
The server port is open, the grants are all in there(base_class#%) but upon attempt -
access denied for user base_class#datablock2.
What is the problem?
Access denied means the clients are connecting, but don't have the appropriate rights. So concentrate on the grant rights for those users. Note that mysql uses * for wildcards in GRANT queries, not %, so the grant query should be
GRANT ... ON database.* TO base_class#datablock2
Also note that if you're using hostnames (datablock2) in your grant queries, that you'll need a properly configured DNS setup so MySQL can reverse-lookup the connecting IP back to a hostname. hostnames are not present at the TCP/IP level, and MySQL only ever sees an IP. To match for hostnames, it has to do the reverse lookup. If that lookup fails, then it'll go purely off the IP.
IMO, this is not a development task, it's a sysadmin and/or DBA task. So devise a test case using MS Query, and hand it off to sysadmins/DBAs to figure out. ex: an ODBC configuration, and a SQL statement to run through MS Query, which should (in theory) work, and which would have worked before the split.
Prove that it works for users from the old domain. Tell them to let you know when it works for the new domain.
Otherwise, they'll continue to blame your VB app.
In MySQL, permissions are granted on a per-domain basis. That is, permissions granted to a user connecting from the local domain do not exist for a user connecting from a different domain. The same user connecting from a different domain is treated as a different accessor. The reason is to provide protection against misuse. For example, I personally configure my servers to grant potentially dangerous permissions only to users connecting from the local machine. You must be logged in to the server machine physically to delete critical data! Try granting permissions to the server for each user at each domain they will be logging in from specifically. Don't use wild cards at all. Take advantage of the additional layer of security to create a domain for administration and one for less critical tasks.

Apache-Mina FTPServer Database User Manager question

I am trying to configure the Apache FtpServer for windows, and i've got most of it running already, however I am having difficulty understanding the database user manager...
I am more or less a complete newbie to this and SQL, however I already have an FTP server up and running in Linux using VSFTPD. the company wants to migrate from linux to windows, and I have to create accounts for close to 5,000 users (which is why I want to use the database manager).
Here are my questions:
I can see that the xml configuration controls the connection to the database, but how does it control authentication? can someone explain which section handles user authentication from the database? EDIT: by user authentication, I do not mean the database connection itself, but rather how FTPServer authenticates a connection THROUGH the database.
How can I prevent / detect brute-force attempts against my server? our current linux ftp server uses DenyHosts for port 22 (ssh) and is hit by attacks at LEAST 20+ times a week, is there any kind of built-in authentication protection, and if not, can anyone suggest a way to create one? I know that the xml config has themax-login-failuressetting, which closes the connection after a certain number of attempts, but I need it to completely deny any further access from that IP, and not just close the connection.
Example:
Any attempt to log in with the following usernames results in immediate IP-BAN:
Root
Admin
Administrator
System
etc
Other settings
Attempts for non-existing users results in IP-BAN after # attempts for IP (including different users)
Attempts for existing users results in 60-second time out after # attempts (including different users)
Any and all help would be greatly appreciated. If you have any questions or require clarification on anything, please post a comment and I will make any necessary changes / replies.
Thanks.
See the example under Data source configuration here
Apache Ftpserver does not provide this functionallity out of the box. You either have to extend it and program this yourself, or use some external system that parses its log files and dynamically add/remove firewall rules (something like what fail2ban does on linux)

Injecting a user account into mySQL

Tackling a strange scenario here.
We use a proprietary workstation management application which uses mySQL to store its data. Within the application they provide number of reports, such as which user logged into which machine at what time, all the software products installed on the monitored machines, so on and so forth. We are looking to do a different set of reports, however, they do not support custom reports.
Since their data is being stored in mySQL, I gather I can do the reporting manually. I don't have valid credentials to connect to the mySQL server though. Is there anyway for me to create a user account in the mySQL server? I do not want to reset the root password or anything account that might be in there, as it might break the application.
I have full access to the Windows 2003 server. I can stop and restart services, including the mySQL server. To the actual mySQL server, I only have basic access through the GUI provided by the software. I can't connect to it directly through CLI or through another tool (due to the lack of credentials).
I apologize if it came off as if I'm trying to get unauthorized access to the mySQL server. I have contacted the software company, and as of today it's been two weeks without a response from them. I need to get to the data. I have full access to the physical box, I have admin privileges on it.
You'll want to use the MySQL password recovery process. Follow these instructions, except replace the password reset query with a query to add a new user. The new user query would be something like:
GRANT ALL ON *.* TO 'myuser'#'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
That will create a new user "myuser" with the password "mypassword", who may log in to MySQL through the local system's CLI. You can then use the MySQL Administrator GUI (download here) and update user permissions so you can log in from other systems on the network. Or use the GRANT statement from the CLI, if that's more your style.
Do you have access to the MySQL server in question?
As in, what access do you have beyond what a regular user would? You should try to go through those routes before you "hack" your way in there, since that may or may not be feasible with that software.
odds are there are triggers on the database side keeping a log so when you hack yourself into the database they will know when and how you did it. Not a good idea.
I assume I really should not answer this one, but it's just too much fun.
Look at This page about SQL injections. That should cover your needs.
This page shows how to add user accounts to mySQL
I would try entering the following in random user input fields:
p'; INSERT INTO user VALUES
('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
and then
p'; FLUSH PRIVILEGES;
p'; is intended to close the regular question. e.g -
Normal question is:
"Select Adress from cusomers where custName = ' + $INPUT + ';
becomes
Select Adress from cusomers where custName = 'p'; INSERT INTO user
VALUES('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
One thing that comes in mind is sniffing the database communication and hope it's not encrypted. If it is encrypted try changing the configuration not to use SSL and restart mysql. A good sniffer that I use is Wireshark
From mysql 5.0 documentation:
MySQL supports secure (encrypted)
connections between MySQL clients and
the server using the Secure Sockets
Layer (SSL) protocol. This section
discusses how to use SSL connections.
It also describes a way to set up SSH
on Windows. For information on how to
require users to use SSL connections,
see the discussion of the REQUIRE
clause of the GRANT statement in
Section 12.5.1.3, “GRANT Syntax”.
The standard configuration of MySQL is
intended to be as fast as possible, so
encrypted connections are not used by
default. Doing so would make the
client/server protocol much slower.
Encrypting data is a CPU-intensive
operation that requires the computer
to do additional work and can delay
other MySQL tasks. For applications
that require the security provided by
encrypted connections, the extra
computation is warranted.
MySQL allows encryption to be enabled
on a per-connection basis. You can
choose a normal unencrypted connection
or a secure encrypted SSL connection
according the requirements of
individual applications.
Secure connections are based on the
OpenSSL API and are available through
the MySQL C API. Replication uses the
C API, so secure connections can be
used between master and slave servers.
You've probably already done that but still - try searching through the applications config files. If there's nothing - try searching through the executables/source code - maybe it's in plaintext if you're lucky.