homepage Welcome to WebmasterWorld Guest from 54.225.1.70
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
ssh tunnel with mysql
or other ways of securing port 3306
jamie




msg:909625
 9:20 pm on Mar 23, 2004 (gmt 0)

i have sqlyog up and working to sync my test (at home) and online mysql databases. all well and good, but it does mean i have had to open port 3306 on my server. i have had a go at ssh tunnelling but (presumably) because i have a mysql-server already running on port 3306 my ssh tunnel won't let me bind to that port. e.g.

ssh -N -f -L 3306:myhost.com:3306 myhost.com

returns an error message about "channel_setup_fwd_listener: cannot listen to port, address already in use"

hmmm. unfortunately i am unable to limit connections to port 3306 to just my own IP as i am assigned a dynamic one by my provider.

does anyone have any other solutions to keep security high whilst allowing use of the sqlyog sync tool?

can i assign mysql a different port number just for the tunnel? normally i don't need port 3306 to be open, just for the syncing.

many thanks :)

 

dingman




msg:909626
 11:53 pm on Mar 23, 2004 (gmt 0)

I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

As a separate matter, you could always just forward some other local port. Maybe pick 3307 if nothing else is listening there.

Combining the two ideas, you'd connect something like this:

me@home:~$ ssh -N -f -L 3307:localhost:3306 myhost.com
me@home:~$ mysql -P 3307 database

daisho




msg:909627
 7:54 pm on Mar 24, 2004 (gmt 0)

You can compile mysql with SSL support using the OpenSSL libs. This way mysql server/client will do SSL automatically without a seperate tunnel.

daisho.

jamie




msg:909628
 9:38 pm on Mar 24, 2004 (gmt 0)

hi dingman,

i am trying what you suggest, but am having no success.

i am not sure what you mean by

I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

i have two machines, one at home and one remote. i presume you refer to the remote server, but how would i do that? i have been reading the mysql manual today and although haven't gone too deeply into it, couldn't i set that up in my.cnf? or would i have to recompile. (yikes)

i have tried every kind of combination of ports and hosts but my ssh tunnel either hangs or it asks for the password and i am thrown straight back out again to my home shell? (even with correct password).

i have succeeded using putty on my win2k box, using ports 3307 local and 3306 remote, but on my redhat box it won't work.

am at my wits end...

recompiling... daisho - i am on redhat and have installed everything from rpm - the thought of uninstalling and then recompiling from source brings me out in a cold sweat ;-)

thanks folks

jamie




msg:909629
 6:35 am on Mar 28, 2004 (gmt 0)

hi dingman,

i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought ;) but that of course prevents any connections from my home server to the remote server via any port.

so for the time being i have configured mysql to listen on another completely unrelated port, not 3306. this should stop any casual snoopers. i have just been looking at the static IP services claus mentioned - DynDNS - this would enable me to limit access to this mysql port from my box only (normally i have a dynamic IP). it seems to be the best work around.

cheers!

dingman




msg:909630
 7:08 am on Mar 28, 2004 (gmt 0)

i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought but that of course prevents any connections from my home server to the remote server via any port.

That's surmountable with the SSH tunnel. 'ssh -f -N -L 3306:myhost.com:3306 myhost.com' won't work, but 'ssh -f -N -L 3306:127.0.0.1:3306 myhost.com' will. The difference is that the host specification between the port numbers is interpreted by the remote machine, in this case 'myhost.com'. It's subtle, but it works.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved