Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.
Related
I am using MySQL workbench on windows, which I want to connect to a Node-Red running on the IBM cloud. Since I don't run them on the same server the host 127.0.0.1 and port 3306 does not seem to work. What permissions should I give?
I'm going to make a LOT of assumptions here, because there really isn't enough information in your question.
First assumption, by "running on IBM" you mean that Node-RED is running on the IBM Cloud hosting service.
The short answer is you can not do what you want.
The longer version is that you probably could actually make this work but doing it is a REALLY bad idea.
Second assumption, you are doing this from home (even if you are doing it from a office location the same problems are likely to apply). This means you are connected to a local LAN using RFC 1918 address range (e.g. 192.168.0.x), this means you are behind a router that is performing NAT (Network Address Translation). This means you are going to need to set up portforwarding on the router so that when traffic arrives at the router it will send it on to your Windows machine. How you do this will depend on your router.
Next problem, your broadband probably doesn't have a static IP address which means it will change every time your connection drops. There are work arounds for this using things like Dynamic DNS. But that's too complicated to get into here.
Assuming you get all of that sorted out you still have the problem that you have now exposed your mysql database to the internet, so you need to make sure you have enabled all the right security measures to prevent people logging in and at best seeing all your data.
There are 2 much better solutions to this
Run Node-RED on the same machine or at least on the same local network as the database.
Use one of IBM Clouds hosted database solutions, these are a lot easier to connect to a IBM Cloud instance of Node-RED.
If you do not want to open ports to your network I recommend using a free MYSQL remote server
A simple website is https://remotemysql.com
Just take the screenshot of the credentials of your database after registration.
Keep in mind if your database is empty it will get deleted after some time.
The MySql server and client are on the same server. In time, they will be on separate machines. We want to establish secure protocols from the get go.
Does it make sense to require SSL on database connections? Or put another way, is there any reason NOT to use SSL?
If I were you, I'd refrain from connecting to localhost, and instead connect to your local machine by using its explicit hostname. I think you're also wise to use TLS / SSL to connect in this configuration if that's what you're expecting to use when you deploy in production.
You may want to ask yourself whether that's worth the trouble, though. If your app - to - mysqld connection is on a private backend network (as it may be) using TLS / SSL may be overkill. It's called "transport layer security" and it pretty much protects against badguys intercepting data going to and from mysql. Your app system will probably have other vulnerabilities that render TLS protection uninteresting. For example, if it's a web app the mysql password is probably hardcoded in a config file someplace. If the badguy wants to look at your data, he need only grab the password and log in to the mysqld. To keep your info safe you need to keep badguys off your private network.
It's a good idea always to paramaterize the hostname, port number, and production password of your mysql database. If those things are parameterized you can then deploy to a staging or production server system simply by changing those parameters.
I am facing this problem:
stackoverflow question
except my host doesn't seem to have cpanel. Since the answer given in the linked question is cpanel related it has not helped me. Is there anything I can do?
It seems you are trying to connect from a client machine located on your desk to a mySQL server instance located in a service provider's server farm. You're trying to use the ODBC "driver" for mySQL to do this, so you can look at your mySQL data with MS Access. (Right?)
You need to make sure this particular hosting service provider allows remote connections to their mySQL server instances. Some service providers, especially the lowest-cost ones, prevent these remote connections using firewalls or other network isolation techniques. (They do that because it's easier to control both security and performance when only their own web servers can connect to their mySQL servers. ) If your service provider prevents all these connections as a matter of policy, you're going to need another service provider.
If they DO allow remote connections, you may need to enable those connections for your mySQL database. That's what the "cpanel" function mentioned in the other question is about. cpanel is a popular control panel web application offered by many commercial hosting service providers to allow self-service control by their customers. If your service provider doesn't use cpanel, you'll have to find out what they do use. Even if they do use cpanel, they may still not allow remote mySQL connections.
You will also have to make sure your client machine (the one running ODBC) and user have authorization in the mySQL user database.
You would do well to put in a service ticket to your service provider asking if they do offer remote mySQL access. If they say "yes," then you can ask them for advice and help on setting it up.
Keep in mind that opening mySQL server instances for direct connection over the publicly accessible internet is not ordinarily considered a good security practice. If the data in your database is in any way private (peoples' identity information, for example) you need to be very careful indeed.
I developed a project in VB.NET
In this project I want to use data from MySQL that is resides in my WEB Server.
I can communicate with the MySQL server of my localhost but can not communicate with the WEB Server.
In my CPanel I added Host from the Remote Database Access
But I can't communicate with WEB MySQL Server.
Please help me.
The first step is to try to connect to the web mysql with MySql Query Browser - that will tell you if the database is open for remote connections ( I assume it would fail)
I guess you have already checked it, but make sure you use the correct ip
EDIT:
As Björn said, your vb code is ok, so the problem is with the connection to the db.
Unfortunately that would be caused by many many reasons.
Are you sure you use a real IP from the host (and use it in the mysql settings)?
Are you sure you entered the correct remote host in the mysql settigns?
Are you sure you have correct connection string in the vb code?
Since your post indicates you can access the DB on your localhost, it doesn't seem to be an issue with the way you're connecting to the DB from your application (.NET-Connector?).
What does the external MySQL-Server say? Access denied? Or can't you reach it from the pc where your application is hosted (aka maybe a firewall regulation, other network etc.)?
I'm new to MySQL and I'm using a desktop DB management app called "Querious" to simplify the process while I learn.
I want to work on (mainly just structure & basic population) a database that's hosted elsewhere, but the host won't allow any remote MySQL calls on their server.
What is their reasoning for restricting MySQL calls to localhost only? Is this a security or a performance concern?
This is a security concern. The idea is that if people can't remotely connect, they have to compromise the system. Not just the files that hold the database information.
You may be able to request that just add your IP address to a trusted host file, but I doubt they'll do that either.
It's fairly common practice to not allow remote DB connections
I've run into this problem with GoDaddy where they implement this by default. You can change this, however, by indicating that you want to allow remote access. If you've already created your DB, though, you can't change it, so I would recommend creating a new DB and deleting your other one.
The reason why is for security. If only your app can call your DB, you don't have to worry about other people trying to access it.
Distill,
An improperly-configured MySQL instance is dangerous, whether the user is remote or local. This could allow malicious attackers to cause crashes or remote execution of arbitrary code (i.e., owning the machine).
You can use PuTTY to create a tunnel if it's allowed by the server so that your application traffic goes through ssh and then is forwarded to the correct port on localhost.