0

I'm using a Galera cluster between a few web servers over the WAN. I have the traffic encrypted with ipsec between the servers, but it just struck me that anyone can connect to my Galera cluster and start downloading the database.

What would be the best way to protect my self against this? Is it possible to set some sort of authentication (e.g. a password) or only allow certain IP's to join the cluster in Maria DB?

(I'm aware Galera has support for SSL, but since I already use ipsec for secure server to server communication I don't want to have the extra overhead of encrypting things twice.)

The current option I came up with is using iptables to block the port for Galera and only allow certain IP's.

gijs007
  • 117
  • 1
  • 4
  • 18

1 Answers1

0

You could set up a private network between your machines and bind Galera to the respective IPs, to make sure it's not reachable from the public internet.

Edit: Not sure which version you're using, but according to this, starting with 5.2.10, MariaDB includes a PAM Authentication Plugin.

gxx
  • 5,591
  • 2
  • 22
  • 42
  • Is that possible with ipsec? – gijs007 Jan 01 '16 at 19:24
  • @gijs007 Yes. I'm not that familiar with `IPsec`, but I think the [tunnel mode](https://en.wikipedia.org/wiki/IPsec#Tunnel_mode) is what you're looking for. – gxx Jan 01 '16 at 22:22
  • A tunnel would be possible but as far as I can see it only allows tunnels from A to B. Which would make it hard to configure. Instead I've decided to use IPtables to close the port except for a few allowed IP's. the PAM module is for authentication as a MySQL user, but can't be used for Galera afaik. – gijs007 Jan 02 '16 at 20:38
  • @gijs007 If you're searching for a alternative to your `IPtables` solution it would be worth to check out [tinc](http://www.tinc-vpn.org/). – gxx Jan 08 '16 at 01:22