kenquad — 2011-11-25T21:11:44-05:00 — #1
Just want to get some security opinions here. We're running a script that needs to connect to a remote MySQL installation, and may not be able to use SSH tunneling because of the way it is put together. By default, our VPS configuration doesn't allow external hookups to MySQL, except for certain specified IP's. The trouble is that we're on a dynamic IP, and constantly updating the exceptions is getting to be too much of a pain.
MySQL is running on a completely non-standard port. Considering that root shell access can be similarly acquired form any IP address with only a (complex) password, it doesn't seem to me like allowing wilcard MySQL access - also password protected - is such a risk. What do you guys think?
brianoz — 2011-11-27T00:10:40-05:00 — #2
If it's a non-standard high-range port, then the risk is low in my opinion. Make sure it is well into the higher ranges though as they tend to scan lower ranges - eg 32000 or higher.
Secondly, you could use something like CSF with it's dynamic IP feature; which allows dynamic IPs specified in /etc/csf.dyndns to be allowed full access to all server ports.
CSF also provides a "port knocking" feature, where an attempted open run on several ports will open a secured port for access - like a combination lock. For instance, an attempt to open port 33006, then 33008, then 33007 then voila the real Mysql port on 33010 suddenly opens to new connections for 30 seconds. This may not work too well from a script, not sure, though it should be scriptable.
Re the SSH analogy, you should also be running SSH on a high, non-standard port, for just the same reasons.
kenquad — 2011-12-05T15:36:00-05:00 — #3
Thanks for your input, Brian. I also am leaning toward the idea that the risk level is acceptable - we are running it on a very high port.
CSF sounds interesting, but I don't quite understand how it interacts with dynamic IP's. Can it do some kind of lookup, say with dyndns.org (which we're already running) to determine what your current IP is and allow that? Couldn't find any information on such a feature.
We are running SSH on a high non-standard port as well
brianoz — 2011-12-05T20:26:50-05:00 — #4
Re CSF and dynamic IPs - yes, it does a lookup every few minutes, as far as I know.
Re SSH on a high port - way to go! The other reason to run SSH on a high port is that it reduces log noise, so that you notice real attempts to break in.
starlion — 2011-12-06T08:37:09-05:00 — #5
Also, dont make it -any- IP. Even dynamicly assigned, you should still be within the same IP grouping each time. It's not black and white between specific-ip and %, you can use a partial wildcard.
kenquad — 2011-12-06T09:51:10-05:00 — #6
One would think that, but our ISP is absolutely crazy about sticking us with completely different IP's all the time - i.e. all 4 octets different.
timigoe — 2011-12-06T18:17:19-05:00 — #7
Security by obscurity isn't the best answer at all (hiding the port) however, its probably better than nothing.
Firewall rules are the ideal answer, you could potentially set up the rules to apply to a dynamic DNS IP, that way when your remote IP address is updated, teh firewall can be automatically updated (I've done this in the past with mixed success).
kenquad — 2011-12-06T18:38:42-05:00 — #8
I'm considering attempting this with CSF. Could you elaborate a bit more on how your results were mixed?
timigoe — 2011-12-07T03:32:18-05:00 — #9
Delays in dynamic dns updates meant it was a little slow to cotton on, though it was set against a 3g dongle and I was using it in an area of flakey reception so its not a total surprise (access while on the road)