How to test remote access to port 3306
Securing root access remotely
The root account in MySQL is the most dangerous, since it corresponds to the DBA, ie the administrator of the database. For this reason it is necessary to pay special attention to securing that access.
So far we have specified a password for the root account and changed the user name. Assuming that the password is not easy to guess or crackable (see "Reflections on passwords), this is a first good protection. But we're not going to stop there! Indeed, we will prohibit any direct access to the MySQL server via the outside.
Completely prohibit remote access
If your MySQL server is queried and managed in local (eg Apache / PHP and MySQL on the same machine), the most secure and quickest is to simply prohibit all access from another machine.
For this, we can configure a firewall (netfilter / iptables, packet filter, ...) to block all incoming access to port MySQL, usually 3306.
However, MySQL offers an even simpler: Do not allow TCP / IP connections only via a local system process, such as a Unix socket (the famous mysql.sock), named pipes or shared memory (Windows only).
To disable the TCP / IP, you must start the server with the - skip-networking or modify the [mysqld] in the server configuration file (eg / etc / my.cnf):
[mysqld] socket = / tmp / mysql.sock [customer] socket = / tmp / mysql.sock
Mysql.user DELETE FROM WHERE Host <> 'localhost'; FLUSH PRIVILEGES;
Re: How to test remote access to port 3306
Allow remote access via SSH tunnel
If you necessarily need a remote access to MySQL, there is a relatively tight security, especially valid for many client / server. This solution is to use an SSH (Secure SHell) which not only enhance the identification, but in addition will encrypt all communications between the client and MySQL server!
As its name suggests, the primary purpose of the Secure SHell is to allow secure access to a console (shell) to execute commands remotely. However, the assurance of confidentiality and integrity of data sent over the network, it also provided another feature: the tunneling.
Tunneling, also known as port forwarding (port forwarding) is to use SSH as a sub-layer whose purpose is to secure data exchange. In practice, this is to connect to an SSH server and open a local port. The local port is used to connect to (in our case, MySQL) SSH client and forwards the data to the SSH server, which forwards the same to the service.
See an example to better understand:
Re: How to test remote access to port 3306
Given this pattern of use, we can already point out one thing: no direct connection on port 3306 of the MySQL server is established with the client. All data from the client are sent over the SSH server port. To secure our MySQL server, we can already prohibit connections from outside.
We have seen how to prohibit any TCP / IP connection with the skip-networking option. However, it is not appropriate in the case of an SSH tunnel. Indeed, the SSH server must be able to redirect the data to the MySQL server, and for that there is no alternative to TCP / IP. It is therefore necessary to allow the TCP / IP local.
To do this we use the bind-address option which allows to limit the source of the connections. That is what can be added to the configuration file for MySQL:
[mysqld] bind-address = 127.0.0.1
Mysql.user DELETE FROM WHERE User = 'root' AND Host! = 'Localhost'; FLUSH PRIVILEGES;
We do not see how to set up (and secure) a SSH server, or how to configure the client to enable a tunnel. I advise you, however, look at OpenSSH, which includes a server and SSH client. By default, the OpenSSH server (sshd) is configured to allow tunneling. To be sure, check that option PermitTunnel is "yes" in the configuration file for sshd (usually / etc / ssh / sshd_config)
Here is an example of connection tunnelée using the MySQL console client and the OpenSSH SSH client:
> Ssh-f-L 66306:127.0.0.1:3306 sleep mysql.mondomaine.com 10 firstname.lastname@example.org 's password: xxxxxxx => From here, we are connected to the server and our SSH tunnel is enabled on the local port 66306. > Mysql-h 127.0.0.1-P 66306-u root-p => To connect to the MySQL server, we use localhost: 66306 not mysql.mondomaine.com: 3306
If the MySQL server machine also has the administration programs (mysql, mysqldump, ...), it is not necessary to set up port-forwarding. You can simply run the command directly on the shell. A small example:
> Mysql.mondomaine.com ssh / usr / local / mysql / bin / mysqldump-A> backup
|Tags: access, port 3306, remote|
|Thread Tools||Search this Thread|
|Similar Threads for: "How to test remote access to port 3306"|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Remote Potato vs. SageTV for remote access||Selva-Star||Technology & Internet||1||02-12-2010 02:56 PM|
|mysql port 3306 open||Unix'EM||Operating Systems||3||11-09-2009 07:03 PM|
|Control Access through Remote Access Policy grayed out||Amie||Operating Systems||3||01-08-2009 10:18 PM|
|VPN Remote Access Issue - Can Login, but can't access local resour||PARRISH||Small Business Server||2||14-05-2008 04:09 PM|