I want to try out some of the MySQL software, like Workbench, on the MySQL Db I develop on at work. After many failed attempts to make the connection, I finally asked one of the server admins if I was doing something wrong and was informed that the Db is behind firewall. So I can use phpMyAdmin, since it's installed server-side, but not Excel, Workbench, etc (from my machine).
So I would like to know if there is a fairly standard way to make a VPN-like connection to the server. Currently I use an SSH client to connect with no problem. But obviously that's not linking my local apps to the server. So can I make the connection in such a way that my whole system (so to speak) is considered signed on to the server? VPN is the closest analogy I can make, but that's not an option.
And....
Is that considered fairly "black hat" or is just something I don't know how to do but all the cool kids are doing it legitimately?
Thanks
This is simple using SSH tunneling. Simply do something akin to the following:
ssh -f username#your.remote.host -L 4040:your.remote.host:3306 -N
This does the following:
-f - forks SSH into background
username#your.remote.host - the user & host for SSH to connect to
-L 4040:your.remote.host:3306 - Listen for local connections on port 4040, and forward them via SSH to your.remote.host port 3306
-N - tells SSH not to issue a command on the remote host
You would then be able to connect to your mysql server (assuming the above ports are correct) using:
mysql --host=localhost --port=4040 --user=mysqluser -p
SSH tunnelling is excellent and can make life a lot easier.
The advantages are that it is all running over an encrypted port, 22, so the security is better and you can also compress the session, so over a slow network might see a bit of a performance improvement...
If you are using Windows, I would recommend puTTY which is available easily if you google it... Once connected, you can assign a local port which forwards to a port on the remote machine. In puTTY, this is in the Connection->SSH->Tunnels dialog.
I often use this for forwarding VNC - so if you have localport 5900 forwarding to the remote address 5900, you can connect to localhost:5900 as if you were connecting to the remote IP address.
It is also useful if there is a "hop" to a remote network - e.g. you aren't limited to forwarding to the ssh server you are connected to, you can also connect to other servers via the ssh server you are using.
Finally, I don't think that there is anything illegitimate about this option - you are using the ssh connection as intended and have been granted access to the server you are using. If anything, it is increased security...
Admins where I am have an Open-VPN that connect their personnal computer at home to servers at work, but it is used only for maintenance and 'emergency'.
I don't think it is good for security to have "holes" in the firewall, especially to a private place, where there is no firewall to protect your personnal computer.
These kind of practise is possible but has to be retricted to minimum
Related
I have a set of data rolling out of Node-Red that I want to send to a remote MYSQL database. The Node-Red system is running on a Raspberry Pi. How do I make this work? I know how to it using Node.JS but im not sure how to do this in Node-Red. The IP-adress of the Pi is dynamic so simply authorizing its Ip address does not work sadly.
Thanks in advance!
EDIT for clarification:
I want to connect to a remote MYSQL database that is hosted by my webhosting. I have connected a Raspberry Pi to a battery, and I want to save this information in the aforementioned database. Since there will be several battery setups in different locations, I cannot save the data locally. So, one way or another I need to access the remote database through Node-Red. Authorizing one IP-address does't work, since the IP of the Raspberry Pi network is dynamic and thus changes. I think a SSH-Tunnel might be the solution, but I have no idea how to this in Node-Red, and google isnt very helpful.
OK, so as I said in the comments you can make a Username/Password pair for MySQL can be granted permission to any IP address (which is less secure if the username/password is compromised. Set the host to '%' to allow all hosts when setting up the grant options).
To reduce the risk you can restrict the Username/Password to a specific subnet. This could be a wifi network or the subnet associated to the piblic IP (it needs to be the public range as nearly all cellular ISPs use CGNAT) range of the cellular provider you may be using. (See this question for details How to grant remote access to MySQL for a whole subnet?).
If you want to use a SSH tunnel then this will normally be done outside Node-RED with the ssh command line e.g.
ssh -L localhost:3306:localhost:3306 remote.host.com
Then configure the Node-RED MySQL node to point to localhost.
Since the connection will look like it's coming from localhost on the MySQL machine you need make sure the Username/Password is locked down to a that host.
You will probably also want to set up public/private key authentication for the ssh connection.
You may be able to run the ssh command in the node-red-daemon node, which should restart the connection if it gets dropped.
I am developing simple application with Visual Studio that gets data from remote MySQL server through MySql.Data.dll extension. Everything works fine when I'm in my own network, but when I'm at customer site it won't work. I'm assuming their IT is blocking port 3306. Since this is a big corp with strict rules cooperation with network admin is not an option. I heard about tunneling with SSH, tried to do some research but this time this is something not supported by my remote MySQL server provider. I'm out of ideas. What are my options?
Many thanks,
Paw
You can try the command > telnet <yourDBHost> 3306 to verify if port is blocked.
In that case, if you can't request to your admin to open port, maybe you can change the port of MySQL to another open port in the firewall, using your CPanel or editing config files directly if you can access it.
I'd like to know how to connect the client pc in a outside network for example a WAM network, i have my database in my pc and i use this like the server. I know how to connect mysql with another client computer inside the LAN network but i dont know how to do it like the other way.
if you don't understand something make me know.
PD: sorry for my english is my first question on a english forum
Ultimately it works exactly the same way - you need an IP address and a port to connect to your database on. You can either do this by setting up port-forwarding at the firewall on the network with the database server (basically, forward port 3306 to the LAN IP address), or by giving the database server a publicly available static IP and then opening port 3306 in any firewalls. Alternatively, you can set up a VPN to the network with the database server, and connect through this. If done right, the VPN option is much more secure.
However, you should ask yourself why you want to do this. Is your idea to have a client software that directly connects to the database? This is not a great design - it's usually better to have a backend database that is accessed via a frontend API (e.g. a RESTful API or similar). Among other benefits, this can give you much better (finer-grained) access control to the database.
Your MySql server should have a firewall rule to accept outside connection on MySql port (default is 3306). Best setup should allow connection from your clients WAN address only.
Then, your C# connector will be able to connect just the same as in LAN.
Is it possible to do the following?:
I have a local Mac running OS X Lion with a MySQL Server installed which runs different processes regularly and stores data into a local DB.
On the other hand I have an Amazon EC2 instance.
What I would like to do is to use the Amazon instance to perform certain cronjobs (using its own resources) but connecting to the data that is on my localhost (my computer) and performing basic SQL actions like updating the data, inserting, etc.
I don't know if this helps, but I have a static IP. Is there any way I can "open" my IP so the Amazon instance can recognize my home computer as a valid MySQL server?
Thanks for your help, any tip in the right direction will be much appreciated.
If your EC2 instance is connecting to your local db you'll need a static IP locally. Well not need... but if you don't have it anytime you reset your router or loose power etc your ip will change. You can look into Dynamic DNS as well for your local instance.
Your ISP will not block your port on your local instance. This would be a firewall inside your network that is preventing you from connecting to mysql or a configuration with mysql itself. Users can only connect to mysql from certain IP addresses.
You would have to open up the mysql port on your firewall if you are using one, have the mysql client installed on your EC2 instance, and make sure that the user that had proper grantable permissions.
That said why not run cron locally on the mac?
If you can login to your server via SSH then there's no need to open any other port and no static IP is required. You can use SSH port forwarding instead. From your local machine run:
ssh -C -R 5555:127.0.0.1:3306 <your-server-host>
Now you should be able to connect to your Mac's database running on localhost:3306 from the remote server at localhost:5555.
Hi Thanks for reading my question. I currently use Mac Terminal to use MySQL. I connect to either localhost or a remote server. Should I be using SSH?
You won't need SSH to access a DB on your local machine.
You can use SSH to access a remote DB using MySQL. You can also use an app with a GUI like Sequel Pro to access the remote DB via an SSH tunnel.
What specifically are you trying to achieve?
There is not enough information to answer your question.
Normally SSH tunnels are used more for adhoc work, while preserving high level of security (can be used in production, too).
MySQL normally uses unencrypted traffic, but it can be setup to use SSL, so that's another path you can take.
Other alternatives are VPNs, for example OpenVPN among other solutions, but this is more of an infrastructure decision.
EDIT: For completeness
On local machine clients can communicate with mysqld over socket or local IP. Normally it is not necessary to encrypt such connections.
For remote connections (which are over IP), as stated mysql uses unencrypted connection and FTP by default also uses unencrypted connection. This might or might not be a security risk (if that particular network segment is on its own VLAN or inside already encrypted tunnel or on physically secured network).
If unsure - encrypt it.