Restrict access to MySQL DB through localhost, not through IP? - mysql

I'm using MySQL and a web-service connect to the database to read some values.
The web-service and the database are on the same server.
I want to deny access to the database through the public static IP of the server and the port of MySQL.
That means only allow access to the database through localhost, so that only the web-service can connect to it, How to do so ? What configuration for example in MySQL should i do ?

It's not possible to restrict access to mySQL to specific applications as such.
You can, however, create a user account (e.g. named webservice) that is restricted to connect from 127.0.0.1 - that's the best you can do as far as I know, and should be totally sufficient.

There is no way to restrict access to only the web-service. You can restrict it to just applications running on the same host. To do this, create a new user with a host of either 127.0.0.1, or localhost should also work. You can either do this graphically or through the command line:
CREATE USER 'webservice'#'localhost' IDENTIFIED BY 'webservicepassword';
// Grant privileges here...
// For example, GRANT ALL PRIVILEGES ON *.* TO 'webservice'#'localhost' - but it's a far better idea to restrict access to only what it needs...

You can also limit traffic to your MySQL database from only the localhost at the TCP layer. I'm not sure the pros and cons of this method versus using the MySQL database permissions.
https://www.thegeekdiary.com/understanding-tcp-wrappers-in-linux/
In the /etc/hosts.allow, add:
mysqld: LOCAL
This whitelists the localhost to have access to the database daemon. You can use a comma separated list of IP addresses and hostnames that are also allowed.
In the /etc/hosts.deny, add:
mysqld: ALL
This denies access to the daemon to anything that was not whitelisted.

Related

AWS RDS Connection Denied Because Hostname

So I am attempting to use MySQL workbench to connect to a database in the cloud on AWS RDS services.
When I attempt to connect I get an error like this.
Access denied for user 'admin'#'ip_octet1-octet2-octet3-octet4.res.spectrum.com' to database 'default_database'
I have the database set as publicly accessible and all IPS are able to connect. The problem seems to be my client is attempting to try to connect via hostname. I have tried multiple different clients, so it seems to be an issue with AWS or my ISP. I have been able to shell into MySQL instance from other EC2 instances.
Any suggestions would be appreciated.
Your mysql user permissions should allow connecting from the particular host. you can grant permission to the existing user as below.
GRANT ALL PRIVILEGES ON database_name.* TO 'admin'#'ip_octet1-octet2-octet3-octet4.res.spectrum.com';
Reference:
Create and Grant Mysql Permissions
Based on the error you are getting, this doesn't seem to be an issue with reaching the server, as the message complains about an access denied, otherwise it would state it can't reach the host. I would go for the password route, as the admin user should get created with '%' for host. Was it a snapshot? Or created from scratch? If so, was the password properly set? If it is from scratch, you can always delete it and create it again.
Regards!

Granting Access to a User from a Remote Machine - MYSQL

I have a database in mysql and I would like to grant access to a user from a remote machine. How can this be achieved?
Thanks
Usually first thing you need to do is comment bind-address in MySql config file (my.cnf). This settings is blocking communication with database if it's not from the the same address, and restart mysql to apply changes. Also don't forget to open port 3306 on which MySql communicate.
Next you can freely create a new database user, which login will be #'%'.
But beware, if it's a production server, it is not good practice to do this, it is security hole which can be used.

phpmyadmin share specific DB with more machines

I'm doing a web project and im using wamppserver to take care of the server and database. And now I'm facing a problem, I have to share the project. So it would be useful if i could share the specific DB that I use in the project, so that other people can access from their machines and get all the data previously stored in the DB. Is it possible to do it? How?
If you need to grant access to other machines to one database on local mysql server, you need to do some things:
You need to open MySQL to network interface: Check my.cnf, and do this:
Comment the line skip-networking.
Change the line bind-address to hold your LAN IP address / WAN IP address (if the machine itself have the WAN IP) / 0.0.0.0 (for all IPv4 addresses of the machine) / :: (for all IPv4 and IPv6 addresses of the machine). After reconfigure, restart MySQL server.
Check / configure your firewall for port 3306 opened (You can configure firewall for accept connections only from the required IPs) (Configuration for doing this will depend on your firewall software).
Grant access to the user(s) from the IPs you will need.
You can give access to one user from all IPs, for doing this, execute command [1] on MySQL cli or phpmyadmin, with a user with SUPER privileges (usually root).
You can give access to one user from one IP. Execute command [2].
[1]: GRANT ALL PRIVILEGES ON database.* TO 'user'#'%' IDENTIFIED BY 'password';
[2]: GRANT ALL PRIVILEGES ON database.* TO 'user'#'host' IDENTIFIED BY 'password';
You need to replace database with the name of the database to give privileges, user with the username accessing, host with the IP address of the client accessing, and password, with the desired password.
You can also, repeat command [2] if you want the same username to have access from two different IPs for example. Also, you can use a combination of [1] and [2], using a host with this example format: #'192.168.0.%', for giving access to these user from all computers on the 192.168.0.0/24 network.
Also, you can give really fine privileges, for example, changing GRANT ALL PRIVILEGES with GRANT SELECT, INSERT, these user only can do SELECT and INSERT statements, but not UPDATE or DELETE ones for example. You can check MySQL doc or StackOverflow for more info about this.

MySql Remote server connection access denied

I have created a free application using openshift, and created MySQL and phpmyadmin cartridges and inside my phpmyadmin I have gave access to all users from anywhere with all privileges now the problem is when I try to connect from my local MySQL workbench i get connected but I don't see my tables I have created in remote server using phpmyadmin and I can't do any action at all like creating schemas or tables where i get
ERROR 1044: Access denied for user ''#'localhost'
Remember that I allowed all privileges for any user, but I still get access denied for any action except only for the database connection.
Make sure the user you've given full permissions to is the same user MySQL Workbench is connecting as -- there's a difference between the hosts % and localhost for instance. From MySQL Workbench, issue the "Status" command and compare the username and host against what you've configured.
You're apparently connecting through 'localhost' so you have to give full permissions to the anonymous user with host localhost (or change your connection type to tcp so that your connection is via 127.0.0.1 instead of localhost).
Edit for further clarification: The MySQL permission structure treats different types of connections differently; a client connecting via TCP connection always appears to come from an IP address, even if it's from the "local host" (in the sense of being on the same machine), in which case that IP address of the incoming connection may be 127.0.0.1. Socket type connections are registered in MySQL as coming from the host "localhost" (literally, in this case). This is why we're verifying which host MySQL Workbench is connecting as.
Different connection types appear differently to MYSQL even if they're coming from the same "local machine." Furthermore, the wildcard host does not include 'localhost' socket connections, those are a separate entry in the permissions field with the 'localhost' host name; the wildcard does not apply, as I explained above. This is the reason why we're checking which permissions you set against what MySQL Workbench is connecting as; it's the most common cause of difficulties such as these.

How to make a remote connection to a MySQL Database Server?

I am trying to connect to a MySQL database server (remote), but I can't. I am using an user with grant privileges (not root user). The error message is the following:
Can't obtain database list from the server.
Access denied for user 'myuser'#'mypcname' (using password: YES)
"myuser" is an user I created with grant access. This user allows me to connect locally to every database. I am using the same software versions in both hosts: MySQL Server 4.1 (server) and EMS SQL Manager 2005 for MySQL, edition 3.7.0.1 (client).
The point is that I need to connect to the remote server using a different user, not root user. So, how to make the connection?
Thanks.
You have to make sure that the remote user account matches what the server will see coming in for a connection. For instance:
grant select on dbname.* to myname#mypc;
will not work if mypc is not resolvable on the server via DNS or the hosts file. In this case, you could try either using an IP, or a FQDN:
grant select on dbname.* to myname#10.1.2.3;
grant select on dbname.* to myname#mypc.example.com;
Look in connectionstrings.com to see if you have the right connection string used for MySql.
Make sure
that your MySQL server listens not only on localhost
your user can access the server from his location. Try 'myuser'#'%' in the GRANT command.
//EMS manager for mysql
//this magnificient tool provide you with a way to connect to such a server that prevents access to the server from any remote file or any way from outside world
//all you need is to have ftp access to the remote server
//in c:/program files/Ems/ you will find file called emsproxy.php
//it is what we call An (API) in programming world
//upload that file to your remote server
//then when you connect with EMS you select tunnling -->checkbox
//it will ask you on the next step to provide a full url of your emsproxy.php
//i tested that process myself. i did not have access to cpanel nieghter phpmyadmin
//thanks