Welcome to WebmasterWorld Guest from 54.198.205.153

Forum Moderators: bakedjake

Message Too Old, No Replies

ssh tunnel with mysql

or other ways of securing port 3306

     
9:20 pm on Mar 23, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 24, 2002
posts:1126
votes: 0


i have sqlyog up and working to sync my test (at home) and online mysql databases. all well and good, but it does mean i have had to open port 3306 on my server. i have had a go at ssh tunnelling but (presumably) because i have a mysql-server already running on port 3306 my ssh tunnel won't let me bind to that port. e.g.

ssh -N -f -L 3306:myhost.com:3306 myhost.com

returns an error message about "channel_setup_fwd_listener: cannot listen to port, address already in use"

hmmm. unfortunately i am unable to limit connections to port 3306 to just my own IP as i am assigned a dynamic one by my provider.

does anyone have any other solutions to keep security high whilst allowing use of the sqlyog sync tool?

can i assign mysql a different port number just for the tunnel? normally i don't need port 3306 to be open, just for the syncing.

many thanks :)

11:53 pm on Mar 23, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 12, 2002
posts:885
votes: 0


I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

As a separate matter, you could always just forward some other local port. Maybe pick 3307 if nothing else is listening there.

Combining the two ideas, you'd connect something like this:

me@home:~$ ssh -N -f -L 3307:localhost:3306 myhost.com
me@home:~$ mysql -P 3307 database

7:54 pm on Mar 24, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 31, 2003
posts:457
votes: 0


You can compile mysql with SSL support using the OpenSSL libs. This way mysql server/client will do SSL automatically without a seperate tunnel.

daisho.

9:38 pm on Mar 24, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 24, 2002
posts:1126
votes: 0


hi dingman,

i am trying what you suggest, but am having no success.

i am not sure what you mean by

I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

i have two machines, one at home and one remote. i presume you refer to the remote server, but how would i do that? i have been reading the mysql manual today and although haven't gone too deeply into it, couldn't i set that up in my.cnf? or would i have to recompile. (yikes)

i have tried every kind of combination of ports and hosts but my ssh tunnel either hangs or it asks for the password and i am thrown straight back out again to my home shell? (even with correct password).

i have succeeded using putty on my win2k box, using ports 3307 local and 3306 remote, but on my redhat box it won't work.

am at my wits end...

recompiling... daisho - i am on redhat and have installed everything from rpm - the thought of uninstalling and then recompiling from source brings me out in a cold sweat ;-)

thanks folks

6:35 am on Mar 28, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 24, 2002
posts:1126
votes: 0


hi dingman,

i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought ;) but that of course prevents any connections from my home server to the remote server via any port.

so for the time being i have configured mysql to listen on another completely unrelated port, not 3306. this should stop any casual snoopers. i have just been looking at the static IP services claus mentioned - DynDNS - this would enable me to limit access to this mysql port from my box only (normally i have a dynamic IP). it seems to be the best work around.

cheers!

7:08 am on Mar 28, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 12, 2002
posts:885
votes: 0


i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought but that of course prevents any connections from my home server to the remote server via any port.

That's surmountable with the SSH tunnel. 'ssh -f -N -L 3306:myhost.com:3306 myhost.com' won't work, but 'ssh -f -N -L 3306:127.0.0.1:3306 myhost.com' will. The difference is that the host specification between the port numbers is interpreted by the remote machine, in this case 'myhost.com'. It's subtle, but it works.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members