How to hide SSH access on public web server? [closed] - mysql

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 12 months ago.
Improve this question
I'm renting a VPS and right now it is being used as my web server and MySQL database. When renting a VPS, they give you SSH access to it. Is there a way for me to hide (make it seem like it doesn't exists) SSH and MySQL outside connections except for my own?
I don't want public users to see that SSH is enabled even though they probably won't guess the password.

You can use Port knocking to hide SSH. I would close down the mysql port and use a SSH tunnel for this.

Install a port-knock daemon. It looks for "special "knock" sequences of port-hits" and then opens the firewall like you want it.
knock myserver.example.com 123:tcp 456:udp 789:tcp

mysql: you could maybe forbid connections except from localhost, and use ssh port forwarding to remotely access your database
ssh: use a non-standard port and switch to public key authentication. You will have to leave a port open anyway.
Fail2ban may be worth trying. It will block connections to your machine from a given address after repeated failures.

If you're accessing the server from only one address (or very few addresses), you can add a firewall rule to block any access from anything other than those addresses. However, if you're going to be accessing the site from (say) your cellphone, you can't do this, as your cell is highly likely to be behing a NAT firewall and you can't predict what the external IP would be.
You can also move SSH onto something other than the default port 22 to block the "stupid" ssh attack scanners, though that won't stop dedicated port scanners.

Some thoughts...
You could run sshd on a non-standard port. Port-scanners will be able to notice it, but the scripts that just bang on port 22 won't see it.
You could configure it to only allow connections from specified hosts (better to do this at the firewall level, come to think of it). This would limit your ability to log onto it from anywhere but would allow sshd to immediately reject connections from any place other than the specified hosts.

I think the best two options are:
Hide the servers behind a firewall and use a VPN to communicate.
Change the port numbers to something random so they won't be detected by a default port scan.

Today we rely more on browser based sessions as they tend to be more secure thanks to modern browsers' sandboxing and generally higher security level, freely available auto-renewable SSL certificates, and well understood MFA systems.
Web based SSH terminals are common, and they can be protected by federated authentication (OAUTH/SAML/OIDC) identity providers (also available for free! Auth0, DUO, but also Google, Github, etc) and easily complemented with multi factor authentication.
A good implementation of this concept comes for free if you have a Linode VPS: it's called the LISH (Linode Shell). Provided both as text based (Weblish) and canvas based (Glish).
If you are not on Linode, you can host your own Apache Guacamole which is equally great. And of course, it comes with SAML, OIDC, TOTP MFA, etc.

Related

How can I connect a local MySQL database to the IBM Node-Red platform

I am using MySQL workbench on windows, which I want to connect to a Node-Red running on the IBM cloud. Since I don't run them on the same server the host 127.0.0.1 and port 3306 does not seem to work. What permissions should I give?
I'm going to make a LOT of assumptions here, because there really isn't enough information in your question.
First assumption, by "running on IBM" you mean that Node-RED is running on the IBM Cloud hosting service.
The short answer is you can not do what you want.
The longer version is that you probably could actually make this work but doing it is a REALLY bad idea.
Second assumption, you are doing this from home (even if you are doing it from a office location the same problems are likely to apply). This means you are connected to a local LAN using RFC 1918 address range (e.g. 192.168.0.x), this means you are behind a router that is performing NAT (Network Address Translation). This means you are going to need to set up portforwarding on the router so that when traffic arrives at the router it will send it on to your Windows machine. How you do this will depend on your router.
Next problem, your broadband probably doesn't have a static IP address which means it will change every time your connection drops. There are work arounds for this using things like Dynamic DNS. But that's too complicated to get into here.
Assuming you get all of that sorted out you still have the problem that you have now exposed your mysql database to the internet, so you need to make sure you have enabled all the right security measures to prevent people logging in and at best seeing all your data.
There are 2 much better solutions to this
Run Node-RED on the same machine or at least on the same local network as the database.
Use one of IBM Clouds hosted database solutions, these are a lot easier to connect to a IBM Cloud instance of Node-RED.
If you do not want to open ports to your network I recommend using a free MYSQL remote server
A simple website is https://remotemysql.com
Just take the screenshot of the credentials of your database after registration.
Keep in mind if your database is empty it will get deleted after some time.

simple ping from remote agent

I have been looking around to see if there is some simple, stand-alone(ish) agent/server setup that would allow a ping to be launched from a host with an agent on it. When I say "ping," I mean via icmp echo and/or tcp port check. I have Windows, Linux, and AIX systems that would get such an agent.
I would like to set up a central server with authentication that can issue pings from any device that has one of these agents. The primary use would be VPN testing, so that traffic can be initiated from a device that I don't necessarily have access to.
It seems that some monitoring software has this (e.g., Zabbix) but I don't want to go through the pain of installing a whole big piece of software like that just to get this functionality.
Almost all our AIX and Linux systems have perl installed, so that could be a nice option if I had to write my own. I would rather find something "tried-and-true" though...
I didn't realize that we already had SaltStack installed on almost all our servers (I'm a network guy, not a server guy). Once I talked to one of the server administrators, he showed me how this could be done using Salt.

MySQL Community Server - Security Patches

I have been running a MySQL Community Server for a couple of years now and a new client has asked for a report from a vulnerability scanner on our network. I am using OpenVAS and the network is fine apart from the server, its returning a high threat stating that a MySQL security patch needs to be applied. I've gone onto the Oracle website and I believe that I require a Support Identifier to apply the patch, so I done some Googling and its basically a subscription from Oracle. As its a small company is there a way to apply this patch for the community edition without the need to fork out a ton of money, or shall I just filter incoming traffic to the mysql port (Its not the actual fix but at least its one)?
Cheers for the help!
A first measure would be closing the MySQL port through a firewall (iptables), or at least restricting it to the machines in the internal network needing direct access to MySQL.
As for the patch: Maybe there are newer pre-built packages for your OS/distro which already contain the bugfix.

Bind address and MySQL server [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I came across the bind address while trying to configure the MySQL server. The details of why I want to configure the bind address is in the link below.
Multiple hostnames and multiple privileges?
Now, I want to understand the purpose of the bind address. In the sense, is a binding address the address we assign to the machine that is hosting the MySQL server?
I have no clue. Would be really helpful if someone could explain me the purpose of it. Also, will assigning 0.0.0.0 to the binding address create any security flaws/loop holes?
The address you specify in bind tells MySQL where to listen. 0.0.0.0 is a special address, which means "bind to every available network".
Only client software which is able to open a connection to the server using the same address that is specified in the 'bind' option will be allowed to connect.
Some examples:
If MySQL binds to 127.0.0.1, then
only software on the same computer
will be able to connect (because
127.0.0.1 is always the local computer).
If MySQL binds to
192.168.0.2 (and the server computer's IP address is
192.168.0.2 and it's on a /24 subnet), then any computers on the same
subnet (anything that starts with 192.168.0) will be able to connect.
If MySQL binds to
0.0.0.0, then any computer which is able to reach the server computer
over the network will be able to connect.
These are all transport-level connections. Remote computers still need to qualify for application-level, which is to say they will still require the correct login credentials and host parameters from mysql.user.

Remote (Non-LocalHost) MySQL Calls... Safe/Recommended for Management Purposes?

I'm new to MySQL and I'm using a desktop DB management app called "Querious" to simplify the process while I learn.
I want to work on (mainly just structure & basic population) a database that's hosted elsewhere, but the host won't allow any remote MySQL calls on their server.
What is their reasoning for restricting MySQL calls to localhost only? Is this a security or a performance concern?
This is a security concern. The idea is that if people can't remotely connect, they have to compromise the system. Not just the files that hold the database information.
You may be able to request that just add your IP address to a trusted host file, but I doubt they'll do that either.
It's fairly common practice to not allow remote DB connections
I've run into this problem with GoDaddy where they implement this by default. You can change this, however, by indicating that you want to allow remote access. If you've already created your DB, though, you can't change it, so I would recommend creating a new DB and deleting your other one.
The reason why is for security. If only your app can call your DB, you don't have to worry about other people trying to access it.
Distill,
An improperly-configured MySQL instance is dangerous, whether the user is remote or local. This could allow malicious attackers to cause crashes or remote execution of arbitrary code (i.e., owning the machine).
You can use PuTTY to create a tunnel if it's allowed by the server so that your application traffic goes through ssh and then is forwarded to the correct port on localhost.