Welcome to WebmasterWorld Guest from 54.167.29.212

Forum Moderators: bakedjake

Message Too Old, No Replies

ssh tunnel with mysql

or other ways of securing port 3306

     

jamie

9:20 pm on Mar 23, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



i have sqlyog up and working to sync my test (at home) and online mysql databases. all well and good, but it does mean i have had to open port 3306 on my server. i have had a go at ssh tunnelling but (presumably) because i have a mysql-server already running on port 3306 my ssh tunnel won't let me bind to that port. e.g.

ssh -N -f -L 3306:myhost.com:3306 myhost.com

returns an error message about "channel_setup_fwd_listener: cannot listen to port, address already in use"

hmmm. unfortunately i am unable to limit connections to port 3306 to just my own IP as i am assigned a dynamic one by my provider.

does anyone have any other solutions to keep security high whilst allowing use of the sqlyog sync tool?

can i assign mysql a different port number just for the tunnel? normally i don't need port 3306 to be open, just for the syncing.

many thanks :)

dingman

11:53 pm on Mar 23, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

As a separate matter, you could always just forward some other local port. Maybe pick 3307 if nothing else is listening there.

Combining the two ideas, you'd connect something like this:

me@home:~$ ssh -N -f -L 3307:localhost:3306 myhost.com
me@home:~$ mysql -P 3307 database

daisho

7:54 pm on Mar 24, 2004 (gmt 0)

10+ Year Member



You can compile mysql with SSL support using the OpenSSL libs. This way mysql server/client will do SSL automatically without a seperate tunnel.

daisho.

jamie

9:38 pm on Mar 24, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hi dingman,

i am trying what you suggest, but am having no success.

i am not sure what you mean by

I'd probably set up MySQL on the server to just listen on 127.0.0.1:3306, and possibly enforce that prohibition with iptables. That way, a port scan wouldn't even show 3306 as open.

i have two machines, one at home and one remote. i presume you refer to the remote server, but how would i do that? i have been reading the mysql manual today and although haven't gone too deeply into it, couldn't i set that up in my.cnf? or would i have to recompile. (yikes)

i have tried every kind of combination of ports and hosts but my ssh tunnel either hangs or it asks for the password and i am thrown straight back out again to my home shell? (even with correct password).

i have succeeded using putty on my win2k box, using ports 3307 local and 3306 remote, but on my redhat box it won't work.

am at my wits end...

recompiling... daisho - i am on redhat and have installed everything from rpm - the thought of uninstalling and then recompiling from source brings me out in a cold sweat ;-)

thanks folks

jamie

6:35 am on Mar 28, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hi dingman,

i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought ;) but that of course prevents any connections from my home server to the remote server via any port.

so for the time being i have configured mysql to listen on another completely unrelated port, not 3306. this should stop any casual snoopers. i have just been looking at the static IP services claus mentioned - DynDNS - this would enable me to limit access to this mysql port from my box only (normally i have a dynamic IP). it seems to be the best work around.

cheers!

dingman

7:08 am on Mar 28, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



i configured mysql on my remote server to only listen on 127.0.0.1 (not nearly as tricky as i thought but that of course prevents any connections from my home server to the remote server via any port.

That's surmountable with the SSH tunnel. 'ssh -f -N -L 3306:myhost.com:3306 myhost.com' won't work, but 'ssh -f -N -L 3306:127.0.0.1:3306 myhost.com' will. The difference is that the host specification between the port numbers is interpreted by the remote machine, in this case 'myhost.com'. It's subtle, but it works.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month