Do you allow remote MySQL access?

[SilverNodashi]

Hi,



I'm curious, do you allow remote MySQL access to your server(s)?

This could have an impact on your security and bandwidth usage, but a lot of clients also need to use it.



So, as matter of interest, who allows remote MySQL access, and what kind of problems have you run into so far?

Upto now we just move all clients who need remote MySQL access to a specific server that has MySQL ports open, but that server is getting full and I'm considering just opening the ports on all the servers instead. cPanel also has a utility where the client needs to add his IP to the "allow remote MySQL connections" list, so it does add some security, but it's still plain text (AFAIK), so it does open up a security hole nonetheless.



I suppose I could change the MySQL port, OR probably even port forward another port to the MySQL port for added security.



But has anyone really had any problems with an open MySQL server?



P.S. I know about phpMyAdmin, and how to block the port. This isn't a "how do I block the ports", or "how do I setup phpMyAdmin" question.

 

[walter_l]

Opening up MySQL simply does not feel right to me. If I really need remote access, I usually create a SSH tunnel (ssh -R...) on demand, negating the need for opening MySQL directly.

 

[evilsee]

I would run it an non standard port, and keep database backups.

 

[Kloon]

If you want to give other applications access to your database create an API

 

[DarkStreet]

If you want to give other applications access to your database create an API

I am starting on a huge real estate system soon that will used on multiple servers and I'll be creating an API for inter-server communication, probably over a secure connection. This also adds a layer of security if I open up the API for developers to integrate 3rd party applications as they will never have the sensitive server details.

I never have and never will allow remote access to my servers.

 

[guest2013-1]

I can't remember specifically but there's a small php "api" file you can place somewhere in your root folder of your website which will then act as a conduit to chat to the MySQL server without requiring it's ports to be opened. Can't remember the program I used for this either (think it was a db sync program to sync 2 db's)

But I reckon that's the safest route to take rather than opening up the ports. That, and to rather install/give access to something like phpmyadmin for them. Actually, I'd highly recommend going the phpmyadmin route instead. Unless you can possibly firewall off all IP's except a bunch of "allowed" ones... but my guess is you can't (dynamic IP's and/or don't have a separate hardware firewall)

 

[midrange]

Are you talking about providing access to the DB through something like Navicat?

 

[Nod]

An example of PHP-XML-RPC: http://articles.sitepoint.com/print/own-web-service-php-xml-rpc

This will enable you to define what queries could be done, thus keeping complete control over your DB.

 

[James]

Are you talking about providing access to the DB through something like Navicat?

I provide external access for this use but I lock it down to an IP and only use secure passwords so I feel perfectly safe with this approach

 

[SilverNodashi]

I think you're all missing the point. This has nothing todo with an API, or whether I code my application properly or not.

I'm referring to a shared hosting environment where I allow clients to access their databases remotely, with or without an API (in fact, forget about the API altogether). i.e. I'm asking whether other ISP's allow remote MySQL access to their shared hosting servers and what issues they've picked up while doing so.

 

[DarkStreet]

I think you're all missing the point. This has nothing todo with an API, or whether I code my application properly or not.

I'm referring to a shared hosting environment where I allow clients to access their databases remotely, with or without an API (in fact, forget about the API altogether). i.e. I'm asking whether other ISP's allow remote MySQL access to their shared hosting servers and what issues they've picked up while doing so.

I don't do it and none of the hosts I've ever used have allowed it either. Better answer?

 

[SilverNodashi]

I don't do it and none of the hosts I've ever used have allowed it either. Better answer?

Do you provide shared hosting, or don't you allow it on your own PC?

 

[DarkStreet]

Do you provide shared hosting, or don't you allow it on your own PC?

We run a few dedicated servers mainly hosting websites we've developed. Before I really got into web I had a few sites with shared hosts, none of whom allowed remote access.

 

[James]

Do you provide shared hosting, or don't you allow it on your own PC?

I provide hosting and will only allow it on a case by case basis and insist in a) secure passwords and b) limited by IP. There is no real 'need' for remote access and if there was I would recommend doing it via a tunnel as suggested earlier.

 

[jonno_081]

I provide a shared hosting service and clients can activate remove access in CPANEL. Personally, as a software developer, I have used the remote access on more than one project (mostly for reporting, etc), so I wouldn't use a web server that doesn't at least give me the option. I know I could do the queries by sending HTTP headers to a php page I've set up, but the problem with that is it creates more work and I'd prefer to query the database in a standard way....

John

 

[Kloon]

The problem with remote access is that say someone gets past your authentication they have full access over the databases under that user, so nothing will stop them from dropping the databases if you the user has that rights.

I guess you could restrict IP and limit access to only certain tables if you would really like to enable remote access.

 

[SilverNodashi]

The problem with remote access is that say someone gets past your authentication they have full access over the databases under that user, so nothing will stop them from dropping the databases if you the user has that rights.

I guess you could restrict IP and limit access to only certain tables if you would really like to enable remote access.

Yes, the is the problem I am facing, but we haven't had much problems with this yet. The same could be said from FTP, POP3, SMTP, IMAP, etc which are all unsafe protocols. Someone on the cPanel forums has given me a script though which could restrict access via CSF only to the user's IP after he put it in his cPanel - so this could be very useful, I just need to test it out.

 

[James]

The same could be said from FTP, POP3, SMTP, IMAP, etc which are all unsafe protocols.

A fairly bold statement, why would you say these are unsafe protocols (besides ftp, which is pile)?

 

[DarkStreet]

A fairly bold statement, why would you say these are unsafe protocols (besides ftp, which is pile)?

I would also like to see some elaboration here...

 

[guest2013-1]

The only reason I mentioned an API was that it would help you lock down your MySQL server entirely to the outside and give your clients the ability to access it remotely without having to firewall their IP's or anything. You're also able to control the type of queries they do through it.

To me it's an entirely legitimate answer and I don't think I referenced how you write your code.

In summation: No i do not open up my database server ports to the public and give my clients, if required, remote access via some other means which is secure and/or firewall and restrict access through IP addresses

It's a huge risk opening up your ports on your database server, even if you use non-standardized ports.