Should we use Remote access for mysql

Question

I'm not a system guy, this is first time I'm setting up a system. I have a remote system as developer point of view it would be good for me to have a remote access to the database.
From security point of view it is not so secured to have a remote connection open.
My Question Should I go for for a remote access if yes then which is best method.
I'm using CentOS 5.5 and mysql.

Answer 1

1. setup mysql to listen on localhost only
2. get a ssh account on that server

3. setup a ssh tunnel:

   ssh user@mysql-server -L3306:localhost:3306

4. now your mysql connections to localhost 3306 will be transparently forwarded to mysql server. you can use any of your dev weapons as you would work directly on the server (mysql shell, phpmyadmin)

Answer 2

It depends on how you want to interact - a ssh session even over an public link (with a small amount of extra obfuscation by moving the ssh port) will be pretty secure. If you want more access (direct access to the database on port 3306 and Web-oriented tools like phpmyadmin), a VPN to the remote server or its network would be a good move. Worse case would be restricted access directly to port 3306 by allowing only connections from certain IP addresses, but I wouldn't really recommend opening port 3306 to the outside world.

Answer 3

i would say that if your developer must really interact with the DB, you should install phpmyadmin. That's because probably, if you change your developer, it's almost 100% of chance that you will forget to remove his privileges on the database. So allow just your localhost and give him access thru web interface. I did assess a lot of mysql servers that were a lot of authorized developers, that were gone but the authorization were always there.

Answer 4

It depends almost entirely on where the server is in relation to the developer. If both are behind the same firewall, and you trust your local network environment, then opening up MySQL locally wouldn't seem a particular risk.

On the other hand, if your server is running on the Internet 24/7 with a public IP address, you want to lock it down as much as you can - cue another link to [Implementing network security on Centos/RHEL Servers] which goes through a number of things better than I could ever do1.

In terms of the best way of securing a connection, it depends what you want to do. If just run SQL queries by hand, then SSH is all you need and the above link will get you there in a secure way. If you are wanting to use some GUI front end, then VPN access as mentioned by Linker3000, and succinctly detailed by adirau would be best bet.

I wouldn't recommend putting phpmyadmin on as a publicly accessible service, unless you can secure it with more than a username password. If you need phpmyadmin, I'd only access through a VPN tunnel. Don't have a link like http://www.my-nice-site/phpmyadmin - it will be probed within minutes, and any future exploits for phpmyadmin will be tried. I've seen my own server logs, and this is right at the top of failed http requests!

Answer 5

Remote access is common in production environments which may have one or more web servers in front of a database server. Development environments often have looser security requirements than production, although make it as secure as possible.

• Provide least required privileges to the developer. Allow acces from as few servers as possible.
• Limit root access to localhost.
• Firewall the port to allow access only from approved locations.
• Consider using TLS (SSL) encryption for remote access.
• Run the mysql_secure_installation script if available.