Home / server / Questions / 277057
Accepted
Frank Vilea
Asked: 2011-06-05 15:29:05 +0800 CST

MySQL Remote Access Security Considerations

  • 772

I have always used MySQL locally using sockets. Now I need to access a database remotely. How safe is it and what would I need to consider? Is it sufficient to just use the bind-address or should I set up a firewall as well to block traffic?

mysql remote-access

2 Answers

  1. Best Answer

    You should setup firewall rules to just allow those hosts that need to access the host, and block all others. You could do something like the following, but this is just a snippet...

    trusted_hosts="1.2.3.4 5.6.7.8 7.8.9.1"
for host in $trusted_hosts; do
    iptables -A INPUT -p tcp -s $host --dport 3306 -j ACCEPT
done

    This assumes that you have set a default policy of drop with iptables -P INPUT DROP. Don't forget to add rules for remote access like ssh with iptables -A INPUT -p tcp --dport 22 -j ACCEPT.

    • 3

  2. You should always set up a firewall on the database server. There's no point in letting unauthorized people even attempt to connect to your database. Past that, make sure you are using strong passwords (after all, you don't need to remember the password).

    The MySQL protocol is unencrypted over the wire, so if you don't trust your network you may want to tunnel it over SSH, or use some type of VPN.

    • 1