38

I'm trying to allow a remote server to access a MySQL instance that currently shares a Linux server with a web app. According to the documentation the only way this would be possible (unless I'm not understanding correctly) is if the bind-address directive is set to 0.0.0.0, which results in MySQL allowing access from any IP that can produce a valid user.

So, two questions:

  1. how detrimental would this be to security?
  2. is there a better approach to allowing both local and remote interaction with MySQL?
7ochem
  • 280
  • 1
  • 3
  • 12
jonathanatx
  • 507
  • 1
  • 4
  • 9

2 Answers2

38

I think you are misunderstanding the bind-address setting a little. These are the local addresses that MySQL will listen for connections. The default is 0.0.0.0 which is all interfaces. This setting does not restrict which IPs can access the server, unless you specified 127.0.0.1 for localhost only.

If you need to restrict certain users from specific IP addresses, utilize create/grant user like this CREATE USER 'bobdole'@'192.168.10.221';

Doug Luxem
  • 9,612
  • 7
  • 50
  • 80
  • +1 but just a note that the default listening address varies depending on how MySQL is installed. – John Gardeniers Apr 08 '11 at 20:11
  • Thanks Doug, I think the default in this case was my local host, but that's good to know that users of a particular database are still restricted by IP. – jonathanatx Apr 08 '11 at 20:17
  • @jonathanatx MySQL default bind-address (in 5.6 and as far back as I know) is `0.0.0.0`. Although, I do think for many installs only binding locally is the best option. Don't open the door if you don't want anyone walking through it. – ebyrob Mar 17 '14 at 17:48
2

a. Its bad. Even though you could restrict user access by ip on each database, I think its safer to have all connections come in locally. On my servers I allow MySQL to only accept local connections, 127.0.0.1 as is the default configuration. To access the database remotely, all you need to do is create a ssh tunnel before connecting to the database and then connect locally. If you're coding with php its pretty easy to do this. If you're using a desktop application its easy to do it on Linux (look up ssh tunnel), On Windows I normally use a program like Putty to make the tunnel for me.

Jayson Just
  • 37
  • 1
  • 10
    That's pretty insane. The standard way to do it is to create users that can only be accessed from certain hostnames or IPs. Forcing every web server to make an SSH tunnel to a database is a lot more work than needs to be done. – TheLQ Apr 08 '11 at 20:13
  • 3
    Your web server and database server aren't always the same device. Don't let connections come in from the internet, certainly.. but there are secure ways to architect solutions with MySQL network access. – Shane Madden Apr 08 '11 at 20:17
  • If IP is restricted per database, and the root user with create user/database etc privileges is @'localhost' - is that possible to 'fake' from an external IP? Or are there other security issues I'd be raising? – jonathanatx Apr 08 '11 at 20:21
  • 1
    For a small setup (one db, one www) you *might* do ssh tunnelling. For a real setup your vpns and firewalls would be protecting you, therefore you'd open up via 0.0.0.0 to allow remote access. – Sonia Hamilton Apr 09 '13 at 05:23
  • 3
    For everyone thinking that the SSH tunnel idea is crazy, consider that the bulk of MySQL traffic is in the clear. If for some reason you have to connect across an untrusted network (i.e. the Internet), consider SSH or doing it over a VPN. Fire up Wireshark or some other packet sniffer if you want to see what I am talking about. – Brad Sep 16 '13 at 04:19
  • 2
    @Brad MySQL supports encryption so this is not correct. – Marti Markov Oct 12 '17 at 22:47