How to easily and safely connect to postgres or mysql remotely? - mysql

I would like to know how can you connect to postgresql in these conditions:
allow you to access them from any location (do IP filtering)
safe connection (no risk on having your password captured)
easy to setup, preferably having to configure only the server for that.
I know that the recommended approach is to used SSH port forwarding, but this requires you to start the port forwarding before trying to connect to these databases.
What is the easiest method to acquire a good enough security without having to do complex setup on the client.
Is there a way to auto enable the port forwarding stuff on demand?

For PostgreSQL you would start by making sure you are using an SSL-enabled build. (I think that is the default for most installers.)
Then you would need to allow the server to accept remote connections by setting listen_addresses (which specifies which IP addresses the server will listen on): http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html
The pg_hba.conf file allows you to specify which users can connect to which databases from which IP addresses using which authentication methods. There are a lot of authentication methods from which to choose: http://www.postgresql.org/docs/9.1/interactive/client-authentication.html
Regarding what needs to be done on the client side, the details will depend on what connector you are using from which environment; as an example, the PostgreSQL JDBC driver uses an SSL connection by default if available. To tell the JDBC driver not to accept a connection unless it can use SSL, you set a JDBC connection property: ssl=true. http://jdbc.postgresql.org/documentation/head/ssl-client.html
Sorry, but I don't know how MySQL manages any of this.

I am myself trying to find the answer for Postgre, but here is what you can do for MySQL.
First, you need to enable remote access to your database. You can create a user with remote access ability as follows.
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password';
flush privileges;
More details here.
To add security to this, you can add a 'REQUIRE SSL' to the GRANT command as follows
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password' REQUIRE SSL;
All this needs to be done on the server side. On the client, you just need to provide the required certificates that it will need to connect.
For details on creating certificates, the MySQL site has a step by step guide here

Related

How to connect Power BI Desktop to remote MySql server that requires authentication

I have a MySql database running on a remote server which requires ssh authentication that I need to connect to with Microsoft Power BI. I can easily connect to MySQL on my localhost machine, but cannot find a way to manage both the server ssh authentication and the database user log on information.
The server requires authentication on port 22 with a username and password and the MySQL database requires a different username and password.
Can anyone offer assistance?
It seems possible to connect remotely, though I'm not sure you can do it through an 'SSH tunnel' on port 22.
There's a discussion here about connecting remotely which sounds to me like a connection to the usual port 3306, though I'm not certain:
https://community.powerbi.com/t5/Integrations-with-Files-and/Cannot-Connect-to-MySQL-on-Linux-VM/td-p/94914
Some common pitfalls:
1) Make sure you download the correct version of MySQL/Net connector. As of now, version 6.6.5 seems to be working. I wasted a lot of time trying to figure out what was wrong with earlier versions.
2) Server & database settings: closed ports / user permissions / bind-address
Before connecting PowerBI, try to connect another utility like MySQL Workbench. This will force you to troubleshoot the above settings.
This is not currently possible with PowerBI. The feature is currently under review, and you can help get it prioritized by upvoting here:
https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/7020353-mysql-over-ssh-connection
I don't think it is supported (yet) but it looks like a lot of people want a solution including me. See this Power BI Ideas Request
1) create gateway to connect server then
2) then it will ask connection string their you can give server port and database username and password
The problem turned out to be an error in the remote servers firewall configuration.
After further research I have confirmed that Power BI would not support dual authentication steps like logging onto a remote server with ssh and then connecting to the database. Thanks Robin for your suggestion. That was a key point.
Please remember that for remote connections you need to authorise the mysql users to connect from specific hosts (adding the IP) or % to allow to get connected from any host remotely
the SQL is something similar to:
GRANT ALL PRIVILEGES ON *.* TO 'root'#'%' IDENTIFIED BY 'password' WITH GRANT OPTION;
FLUSH PRIVILEGES;
How to allow remote connection to mysql

Host is not allowed to connect to this MySQL server for client-server application

I just exported my tables from one web host to another (AWS).
Thinking everything would go smoothly (yeah right), well, everything that can go wrong has gone wrong.
I get this error when trying to query my database (which I didn't get before):
SQLSTATE[HY000] [1130] Host '<my ip address>' is not allowed to connect to this MySQL server
This is the same error from this post:
Host 'xxx.xx.xxx.xxx' is not allowed to connect to this MySQL server
The solution in that post seems to revolve around having an administrative user. I am developing a chat application so every user needs to access the server (so I'm sure it's a bad idea to give them all administrative privileges).
The answer by Pascal in that link says, If you are using mysql for a client/server application, prefer a subnet address. but I honestly don't understand what he means by that. And because of the amount of solutions, I'm not exactly sure which one I should follow based on my case.
How do I resolve this?
MySQL has security tables that determine who is allowed to connect and from what host IP address.
Here's a good article on how to do it:
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
If you have a lot of connections, consider setting up a server to accept the connections and talk to the sql server. The easiest approach to this is to set up a REST interface and use a web server. Web servers are usually also highly optimized and relatively bug free.
In a similar architecture on AWS, I use nginx happily.
Make sure you have bind-address=YOUR-SERVER-IP in my.cnf and make sure you have a user hd1#172.31.39.86 or hd1#%, the latter being a MySQL wildcard on the MySQL server. More information here. You may also need to grant access to port 3306 (the default MySQL port) on the security groups section of the AWS console.
// IN YOUR MYSQL WORKBENCH You Have to Execute below query
CREATE USER 'root'#'1.2.1.5(Your Application Server IP)' IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON *.* TO 'root'#'10.200.1.54' WITH GRANT OPTION;
AFTER CREATING YOU CAN VIEW USING BELOW QUERY
SELECT * FROM mysql.user WHERE User = 'root';

Equivalente in Postgres to the MySql sentence GRANT USAGE ON *.* TO ‘%’#’%’ REQUIRE SSL

Hi I need to know if there is an equivalent sentence in Postgres to the following MySql sentence:
GRANT USAGE ON *.* TO ‘%’#’%’ REQUIRE SSL
I want that all the users connect to the database right through SSL connections.
Thanks
The permission themselves (via GRANT) in PostgreSQL don't take into account how the role was authenticated. Authentication is configured in pg_hba.conf instead.
You'll still need to use GRANT, simply to give access to that role on the tables, schema, views, etc., as required by your application.
If you want to grant access only when SSL is used, use hostssl instead of host in pg_hba.conf. (host is effectively hostssl or hostnossl.)
Note that, like HTTP redirections from HTTP to HTTPS, this security measure used on its own only really protects against passive attackers at best. Otherwise, MITM attackers could intercept the plain-text connection and forward it themselves to your server using SSL. The server wouldn't know about it (unless client certificates are used).
As always, what you need is to make sure that your client know that they need to use SSL, and that they verify the server certificate correctly. More specifically, if they're using a tool that relies on libpq, they need to configure your CA certificate (or your server certificate directly) correctly and use verify-full, to prevent MITM attacks.

How do I allow mysql client connections to be established with our mysql web server?

It seems that the web server is preventing me to change permissions to the user. It does not allow me to GRANT ALL ON foo.* TO bar#'202.54.10.20' IDENTIFIED BY 'PASSWORD'; and returns an error message of access denied for the username that I'm using.
It also appears that the folder etc in the file manager is empty whereas in the given link below, it shows that the bind address can be edited in the my.cnf inside etc folder.
How do I allow my mysql database to be accessible remotely by any computer?
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
The bind option in my.cnf is not that problem (since you can connect, the MySQL server is just not letting you in), and judging from the screenshot, you don't seem to have the permissions to edit that file anyways.
Most likely, your request is not coming from 202.54.10.20, or you have mistyped username/password. If the web application runs on the same machine as the MySQL server, connections will come from somewhere in the 127.0.0.0/8 range.
Look at the connection string in your web application:
If it is a public IP address, check username/password and originating IP.
If it starts with 127., GRANT to your local address.
If it is localhost, you're connecting via Unix socket instead of TCP. This is a good thing, and you can simply GRANT to localhost.
To issue this command:
GRANT ALL ON foo.* TO bar#'202.54.10.20' IDENTIFIED BY 'PASSWORD';
You MUST connect to the database first. So if you don't have permissions to remotely access database, you should go to the database server host and login locally, using root#localhost.
I just found out that there is an option which basically do the same thing as what I wanted it to be doing. There is an option for the user to enable remote database access to its clients.

How to remotely connect to ClearDB in an Azure Website?

I have created a free Azure Website with Wordpress on it. A ClearDB mysql database was automatically created.
I want to remote connect to the DB using something like MySQL Workbench.
I used the credentials from the "View connection strings" in the azure portal dashboard, but there is an error connecting.
I read in some post that the db itself is hosted in azure cloud and thus can not be accessed.
Have anyone managed to administrate a DB like this ?
Mostly hoster don't allow an external connection with shared hostings.
When you use an outside client, your server has to be configured to allow this external connection.
Firewall rules :
You must to set password before make this, for security improvement.
You must to update firewall and make rules to open the mysql port (3306) on the server that is running the mysql database.
Set user IP :
Add an user account or replace ip address.
Adding users :
CREATE USER 'monty'#'localhost' IDENTIFIED BY 'some_pass';
GRANT ALL PRIVILEGES ON *.* TO 'monty'#'localhost'
Replace ip address (be careful don't use this on the root user) :
RENAME USER 'user'#'ipaddress2' TO 'user'#'ipaddress2';
To allow all ip replace ip adress by %.
See more :
Security Guidelines.
How to determine if a port is open on a Windows server? or www.portcheckers.com.
Yes, it is possible to administer your ClearDB MySQL database in MySQL Workbench. I have several Azure Wordpress sites that I connect to just as you describe -- create the Azure site, view Connection Strings, type those credentials into MySQL Workbench, and voila. #Yaron, Can you be more specific about what you've tried and maybe we can troubleshoot from there?