SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    I Use MODx kenquad's Avatar
    Join Date
    Dec 2009
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Would you allow MySQL connections from any IP if running on a non-standard port?

    Just want to get some security opinions here. We're running a script that needs to connect to a remote MySQL installation, and may not be able to use SSH tunneling because of the way it is put together. By default, our VPS configuration doesn't allow external hookups to MySQL, except for certain specified IP's. The trouble is that we're on a dynamic IP, and constantly updating the exceptions is getting to be too much of a pain.

    MySQL is running on a completely non-standard port. Considering that root shell access can be similarly acquired form any IP address with only a (complex) password, it doesn't seem to me like allowing wilcard MySQL access - also password protected - is such a risk. What do you guys think?

  2. #2
    SitePoint Enthusiast
    Join Date
    May 2005
    Posts
    79
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If it's a non-standard high-range port, then the risk is low in my opinion. Make sure it is well into the higher ranges though as they tend to scan lower ranges - eg 32000 or higher.

    Secondly, you could use something like CSF with it's dynamic IP feature; which allows dynamic IPs specified in /etc/csf.dyndns to be allowed full access to all server ports.

    CSF also provides a "port knocking" feature, where an attempted open run on several ports will open a secured port for access - like a combination lock. For instance, an attempt to open port 33006, then 33008, then 33007 then voila the real Mysql port on 33010 suddenly opens to new connections for 30 seconds. This may not work too well from a script, not sure, though it should be scriptable.

    Re the SSH analogy, you should also be running SSH on a high, non-standard port, for just the same reasons.

  3. #3
    I Use MODx kenquad's Avatar
    Join Date
    Dec 2009
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your input, Brian. I also am leaning toward the idea that the risk level is acceptable - we are running it on a very high port.

    CSF sounds interesting, but I don't quite understand how it interacts with dynamic IP's. Can it do some kind of lookup, say with dyndns.org (which we're already running) to determine what your current IP is and allow that? Couldn't find any information on such a feature.

    We are running SSH on a high non-standard port as well

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2005
    Posts
    79
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Re CSF and dynamic IPs - yes, it does a lookup every few minutes, as far as I know.

    Re SSH on a high port - way to go! The other reason to run SSH on a high port is that it reduces log noise, so that you notice real attempts to break in.

  5. #5
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    71 Post(s)
    Tagged
    0 Thread(s)
    Also, dont make it -any- IP. Even dynamicly assigned, you should still be within the same IP grouping each time. It's not black and white between specific-ip and %, you can use a partial wildcard.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  6. #6
    I Use MODx kenquad's Avatar
    Join Date
    Dec 2009
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by StarLion View Post
    Even dynamicly assigned, you should still be within the same IP grouping each time.
    One would think that, but our ISP is absolutely crazy about sticking us with completely different IP's all the time - i.e. all 4 octets different.

  7. #7
    Twitter: @TimIgoe silver trophy TimIgoe's Avatar
    Join Date
    Feb 2005
    Location
    Blackpool, UK
    Posts
    1,056
    Mentioned
    27 Post(s)
    Tagged
    1 Thread(s)
    Security by obscurity isn't the *best* answer at all (hiding the port) however, its probably better than nothing.

    Firewall rules are the ideal answer, you could potentially set up the rules to apply to a dynamic DNS IP, that way when your remote IP address is updated, teh firewall can be automatically updated (I've done this in the past with mixed success).

  8. #8
    I Use MODx kenquad's Avatar
    Join Date
    Dec 2009
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TimIgoe View Post
    Firewall rules are the ideal answer, you could potentially set up the rules to apply to a dynamic DNS IP, that way when your remote IP address is updated, teh firewall can be automatically updated (I've done this in the past with mixed success).
    I'm considering attempting this with CSF. Could you elaborate a bit more on how your results were mixed?

  9. #9
    Twitter: @TimIgoe silver trophy TimIgoe's Avatar
    Join Date
    Feb 2005
    Location
    Blackpool, UK
    Posts
    1,056
    Mentioned
    27 Post(s)
    Tagged
    1 Thread(s)
    Delays in dynamic dns updates meant it was a little slow to cotton on, though it was set against a 3g dongle and I was using it in an area of flakey reception so its not a total surprise (access while on the road)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •