I’m considering setting up a server to connect to another server for a mysql insert and just wondering about security implications of doing this. It seems to me that the login credentials are sent in clear text. The servers are both on wired connections and so seems like the only opportunity for interception would be from a rogue employee at the ISP or remote server location… are these correct assumptions? Is there another recommended secure way to do this kind of thing?
Thanks for any thoughts.
You probably want to look into MySql replication here not some sort of shared insert thing but that might be what you are thinking of.
In terms of securing the connection a lot depends on network topograhy with your host. If you’ve got no control there I would presume it is being routed over the public internet and use SSL for the replication connection. See the mysql manual for some hints.
No, the other server is a node.js script collecting periodically sent GPS data from a few sources, parsing it into an INSERT query and relaying it directly into the remote MySql server. So nothing to replicate. I don’t like doing this in clear text but also don’t get excited about trying to do a secure node.js connection. Maybe I can lock it down in other ways - use stored procedures, only allow connections from the specified IP, set up a separate user with access to only one table etc.
I don’t think doing a SSL connection requires more than proper mysql configuration. Another easy option would be to put a web service running over HTTPS in front of the other mysql DB which has loads of other advantages like using protocols designed to survive the public internet.
All the means you mention do not help with folks sniffing credentials on the wire and if the port is open, well, the port is open.
The MySQL server is provided on a shared account at our webhost, so I don’t have control of the mysql configuration and have only limited ways to connect. But I’m having trouble imagining what mischief could be caused by someone going through the effort of sniffing the packets to get the login credentials, spoofing their IP to look like that one, and logging in under the stolen credentials that only allow insert privileges on one table containing a few columns of numeric type. It just seems a low value target, little to be gained. It’s not a mission critical part of our site either.
Most shared hosting will only allow a local mysql connection rather than a remote one.
Maybe most, but not all. I had shared hosting at a large (100K+ sites) hosting provider for years and they had no problem allowing remote mysql connections. I used mysql workbench (well, actually mysql query browser in pre-workbench days) from my workstation to administer my mysql db’s.