im trying to get remote access to my MySQL / MariaDB server however it keep denying my access. Here is my setup:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
mysql
MariaDB [(none)]> SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';
+----------+------+
| User | Host |
+----------+------+
| feed_user| % |
+----------+------+
my.cnf
[mysqld]
local-infile=0
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
!includedir /etc/my.cnf.d
netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 30227/mysqld
The server is within my local network, on a different subnet.
Internal firewall is set to allow connections between the two subnets, can see the traffic being accepted.
Any ideas on why it wont allow me remote access?
Thanks
Chris
Turns out i was adding the rules to iptables instead of firewalld. After adding the rules to firewalld i was able to access the the server remotely.
I am trying to set up mysql so that a user 'imbnpandmkexby' can connect to database 'de0rllo43ct314' from any remote IP address, or locally.
=========== THESE ARE THE STEPS I'VE TAKEN: ===========
1) In my MySQL config, I have commented out the bind-address line, verified that skip-networking is not in the file, and restarted mysql:
#/etc/mysql/my.cnf:
#bind-address = 127.0.0.1
2) I added remote permissions (by using the '%') for user 'imbnpandmkexby' on the desired database 'de0rllo43ct314':
[ remote ] > mysql -u root -p
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'#'localhost' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'#'127.0.0.1' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'#'%' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > FLUSH PRIVILEGES;
[ mysql ] > select * from mysql.user\G
This outputs:
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password:
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password:
...
3) At this point I can connect with an SSH tunnel using Sequel Pro. The user appears to have all the right permissions.
4) Next I opened a firewall port and verified that MySQL is listening on that port:
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
[ remote ] > sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Since this box is hosted on amazon ec2, I also opened up port 3306 in its security group:
5) I can telnet into the port:
Trying 00.00.00.000...
Connected to ec2-00.00.00.000.us-west-2.compute.amazonaws.com.
Escape character is '^]'.
=========== THIS IS WHERE I'M STUCK: ===========
00.00.00.000 shown instead of actual IP
When I try connecting to the database from my local machine, it doesn't work:
[ local ] > mysql -u imbnpandmkexby -h 00.00.00.000 -p
[ local ] > Enter password:
[ local ] > ERROR 2003 (HY000): Can't connect to MySQL server on '00.00.00.000' (61)
I am able to connect to a database on a dreamhost server, so it doesn't seem to be a block on my side:
[ local ] > mysql -u dreamhost_user -h mysql.dreamhostdomain.com -p
[ local ] > Enter password:
[ local ] > Welcome to the MySQL monitor. Commands end with ; or \g.
Is there a layer of permissions that I'm missing?
Okay, finally figured it out! I had a combination of two problems:
1) My SQL rule was coming after a REJECT rule in the iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
What I did was remove the last rule, and re-add it at index 10:
[ remote ] > iptables -vnL --line-numbers ##Prints rules along with line numbers
[ remote ] > iptables -D INPUT 14
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
I knew this was a step in the right direction because I was now able to connect to the box via telnet ("telnet 00.00.00.000 3306")
2) The second problem I has was that my MySQL user only had a password set on the 'localhost' user, not the users with access to '127.0.0.1' or '%'. It turns out that each user-host combination needs a password. Now when I run "select * from mysql.user\G" in the MySQL console, I get:
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password: *0000000000000000000000
...
run tcpdump on mysql server to ensure tcp/3306 is actually getting to that box, or to see where its being blocked.
if connecting to remote tcp/3306 hangs and timeouts, its being blackholed or denied by a firewall. if it comes back right away with cant connect, its most likely making it all the way to server, but being rejected (and tcp response is returned).
I'm trying to allow remote connections to one of my mysql databases, but after I set everything up, I keep getting a time out error. Can you tell me if I perhaps missed a step?
I'm running Ubuntu 12.04 with MySQL 5.5.38-0
Here's my /etc/mysql/my.cnf file
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
# skip-external-locking
bind-address = 0.0.0.0
Once I updated the my.cnf file, I restarted MySQL and then ran the following to open TCP port 3306
sudo /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 3306 -j ACCEPT
Then saved the new rules using:
sudo /sbin/iptables-save
I can see it when I run sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP udp -- anywhere anywhere udp spt:bootps
LOG all -- anywhere anywhere LOG level warning prefix "INPUT__"
DROP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
I then created a test database:
> create database kentest;
Granted it all privileges from any host:
> GRANT ALL ON kentest.* TO kentest#'%' IDENTIFIED BY 'mypassword';
And flushed the privileges:
> flush privileges
But when I try and connect from another box:
$ mysql -u kentest -h x.x.x.x -p
I get the timeout message:
ERROR 2003 (HY000): Can't connect to MySQL server on 'x.x.x.x' (60)
I did notice that I don't see the port being used when I run
$ lsof -i -P | grep :3306
Any ideas what I could be doing wrong or missing?
Thanks!
I was able to figure out the issue. We are using CSF for our firewall and needed to add the IP to:
sudo vi /etc/csf/csf.allow
Then restart CSF:
$ csf --restart
cant get it to work. this is what i've done so far:
mysql> CREATE USER 'admin'#'localhost' IDENTIFIED BY 'xxxxxx';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'admin'#'localhost' WITH GRANT OPTION;
mysql> CREATE USER 'admin'#'%' IDENTIFIED BY 'xxxxxx';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'admin'#'%' WITH GRANT OPTION;
in AWS Console -> EC2 -> Network & Security -> Security Groups -> quick-start-1 -> Inbound tab -> Choose 'MYSQL' from drop down -> Add Rule -> apply
edit /etc/my.cnf and added bind-address, then
sudo /etc/init.d/mysqld restart
sudo /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 3306 -j ACCEPT
sudo service iptables save
and finally from my computer:
[nir#dhcppc4 ~]$ mysql -h xxx.xxx.xxx.xxx -u admin -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on 'xxx.xxx.xxx.xxx' (113)
EDIT:
running netstat -lp | grep mysql (I dont see port number in the output):
tcp 0 0 *:mysql *:* LISTEN -
unix 2 [ ACC ] STREAM LISTENING 16003 - /var/lib/mysql/mysql.sock
added in /etc/my.cnf
port=3306
and now netstat -lp | grep mysql is
tcp 0 0 *:mysql *:* LISTEN -
unix 2 [ ACC ] STREAM LISTENING 37757 - /var/lib/mysql/mysql.sock
/etc/my.cnf file:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
port=3306
bind-address = 0.0.0.0
#skip-networking
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
plus i tried to connect through other computer and i could not connect, so i guess its not a problem on the connecting computer
and i got access denied my telnet:
[nir#dhcppc4 ~]$ telnet xxx.xxx.xxx.xxx 3306
Trying xxx.xxx.xxx.xxx...
telnet: connect to address xxx.xxx.xxx.xxx: No route to host
** i'm also trying to solve it in amazon ec2 forum
SOLVED
the problem:
i have in the iptables this line
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and this line only append the rule to the end of the list so the reject catch it first
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
to solve it i needed to put the rule higher in the chain, i.e. use -I switch like this:
sudo iptables -I INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
This question is related to the following questions:
Can't connect to MySQL server error 111
Trying to connect to remote MySQL host (error 2003)
I am configuring a new MySQL (5.1) server on my local machine. I need to provide remote access to the database. I did the following steps:
Comment bind-address in my.cnf:
# bind-address = 192.168.1.3
Grant privileges:
GRANT ALL PRIVILEGES ON *.* TO 'nickruiz'#'%' IDENTIFIED BY PASSWORD 'xxxx';
Set port forwarding on router (TCP and UDP, port 3306, 192.168.1.3)
Configure iptables for firewall
sudo iptables -I INPUT -p udp --dport 3306 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 3306 --syn -j ACCEPT
sudo iptables-save
Restart mysql server sudo /etc/init.d/mysql restart
When testing, I get the following:
LAN:
mysql -h 192.168.1.3 -u nickruiz -p
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 95
Server version: 5.1.63-0ubuntu0.11.04.1 (Ubuntu)
Remote:
mysql -h 1xx.xx.4.136 -u nickruiz -p
ERROR 2003 (HY000): Can't connect to MySQL server on '1xx.xx.4.136' (111)
Clearly there's something wrong that's preventing me from being able to use my global IP address.
Notes:
I've tried testing the remote connection on the same machine and also
via SSH from a remote machine.
I'm not sure if my ISP has given me a static IP.
Any ideas?
Update:
telnet doesn't seem to be working.
telnet 192.168.1.3 3306
Trying 192.168.1.3...
Connected to 192.168.1.3.
Escape character is '^]'.
E
5.1.63-0ubuntu0.11.04.1,0g8!:#pX;]DyY0#\)SIConnection closed by foreign host.
Please check your listenning ports with :
netstat -nat |grep :3306
If it show
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
Thats is ok for your remote connection.
But in this case i think you have
tcp 0 192.168.1.3:3306 0.0.0.0:* LISTEN
Thats is ok for your remote connection.
You should also check your firewall (iptables if you centos/redhat)
services iptables stop
for testing or use :
iptables -A input -p tcp -i eth0 --dport 3306 -m state NEW,ESTABLISHED -j ACCEPT
iptables -A output -p tcp -i eth0 --sport 3306 -m state NEW,ESTABLISHED -j ACCEPT
And another thing to check your grant permission for remote connection :
GRANT ALL ON *.* TO remoteUser#'remoteIpadress' IDENTIFIED BY 'my_password';
errno 111 is ECONNREFUSED, I suppose something is wrong with the router's DNAT.
It is also possible that your ISP is filtering that port.
Check that your remote host (i.e. the web hosting server you're trying to connect FROM) allows OUTGOING traffic on port 3306.
I saw the (100) error in this situation. I could connect from my PC/Mac, but not from my website. The MySQL instance was accessible via the internet, but my hosting company wasn't allowing my website to connect to the database on port 3306.
Once I asked my hosting company to open my web hosting account up to outgoing traffic on port 3306, my website could connect to my remote database.
/etc/mysql$ sudo nano my.cnf
Relevant portion that works for me:
#skip-networking
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = MY_IP
MY_IP can be found using ifconfig or curl -L whatismyip.org |grep blue.
Restart mysql to ensure the new config is loaded:
/etc/mysql$ sudo service mysql restart
I had the same problem trying to connect to a remote mysql db.
I fixed it by opening the firewall on the db server to allow traffic through:
sudo ufw allow mysql
if the system you use is CentOS/RedHat, and rpm is the way you install MySQL, there is no my.cnf in /etc/ folder, you could use:
#whereis mysql
#cd /usr/share/mysql/
cp -f /usr/share/mysql/my-medium.cnf /etc/my.cnf
I have got a same question like you, I use wireshark to capture my sent TCP packets, I found when I use mysql bin to connect the remote host, it connects remote's 3307 port, that's my falut in /etc/mysql/my.cnf, 3307 is another project mysql port, but I change that config in my.cnf [client] part, when I use -P option to specify 3306 port, it's OK.
i set my bind-address correctly as above but forgot to restart the mysql server (or reboot) :) face palm - so that's the source of this error for me!
Sometimes when you have special characters in password you need to wrap it in '' characters, so to connect to db you could use:
mysql -uUSER -p'pa$$w0rd'
I had the same error and this solution solved it.
I had this same error and I didn't understand but I realized that my modem was using the same port as mysql. Well, I stop apache2.service by sudo systemctl stop apache2.service and restarted the xammp, sudo /opt/lampp/lampp start
Just maybe, if you were not using a password for mysql yet you had, 1045 (28000): Access denied for user 'root'#'localhost' (using password: YES), then you have to pass an empty string as the password
Not sure as cant see it in steps you mentioned.
Please try FLUSH PRIVILEGES [Reloads the privileges from the grant tables in the mysql database]:
flush privileges;
You need to execute it after GRANT
Hope this help!