Welcome to WebmasterWorld Guest from 54.159.246.164

Forum Moderators: bakedjake

Message Too Old, No Replies

ssh tunnel with mysql

or other ways of securing port 3306

   
9:20 pm on Mar 23, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



i have sqlyog up and working to sync my test (at home) and online mysql databases. all well and good, but it does mean i have had to open port 3306 on my server. i have had a go at ssh tunnelling but (presumably) because i have a mysql-server already running on port 3306 my ssh tunnel won't let me bind to that port. e.g.

ssh -N -f -L 3306:myhost.com:3306 myhost.com

returns an error message about "channel_setup_fwd_listener: cannot listen to port, address already in use"

hmmm. unfortunately i am unable to limit connections to port 3306 to just my own IP as i am assigned a dynamic one by my provider.

does anyone have any other solutions to keep security high whilst allowing use of the sqlyog sync tool?

can i assign mysql a different port number just for the tunnel? normally i don't need port 3306 to be open, just for the syncing.

many thanks :)

11:53 pm on Mar 23, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

As a separate matter, you could always just forward some other local port. Maybe pick 3307 if nothing else is listening there.

Combining the two ideas, you'd connect something like this:

me@home:~$ ssh -N -f -L 3307:localhost:3306 myhost.com
me@home:~$ mysql -P 3307 database

7:54 pm on Mar 24, 2004 (gmt 0)

10+ Year Member



You can compile mysql with SSL support using the OpenSSL libs. This way mysql server/client will do SSL automatically without a seperate tunnel.

daisho.

9:38 pm on Mar 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hi dingman,

i am trying what you suggest, but am having no success.

i am not sure what you mean by

I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

i have two machines, one at home and one remote. i presume you refer to the remote server, but how would i do that? i have been reading the mysql manual today and although haven't gone too deeply into it, couldn't i set that up in my.cnf? or would i have to recompile. (yikes)

i have tried every kind of combination of ports and hosts but my ssh tunnel either hangs or it asks for the password and i am thrown straight back out again to my home shell? (even with correct password).

i have succeeded using putty on my win2k box, using ports 3307 local and 3306 remote, but on my redhat box it won't work.

am at my wits end...

recompiling... daisho - i am on redhat and have installed everything from rpm - the thought of uninstalling and then recompiling from source brings me out in a cold sweat ;-)

thanks folks

6:35 am on Mar 28, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hi dingman,

i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought ;) but that of course prevents any connections from my home server to the remote server via any port.

so for the time being i have configured mysql to listen on another completely unrelated port, not 3306. this should stop any casual snoopers. i have just been looking at the static IP services claus mentioned - DynDNS - this would enable me to limit access to this mysql port from my box only (normally i have a dynamic IP). it seems to be the best work around.

cheers!

7:08 am on Mar 28, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought but that of course prevents any connections from my home server to the remote server via any port.

That's surmountable with the SSH tunnel. 'ssh -f -N -L 3306:myhost.com:3306 myhost.com' won't work, but 'ssh -f -N -L 3306:127.0.0.1:3306 myhost.com' will. The difference is that the host specification between the port numbers is interpreted by the remote machine, in this case 'myhost.com'. It's subtle, but it works.