SSH Tunnelling Mysql
I used putty to set up port forwarding to forward my local port 3306 to my remote host port 3306, but when I try to connect to mysql I get 'connection refused' in the putty log. The mysql connect error is 'Lost connection to mysql server during query'
This is my putty event log
2009-07-06 12:18:16 Looking up host "74.207.227.156"
2009-07-06 12:18:16 Connecting to 74.207.227.156 port 22
2009-07-06 12:18:17 Server version: SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-07-06 12:18:17 We claim version: SSH-2.0-PuTTY_Release_0.59
2009-07-06 12:18:17 Using SSH protocol version 2
2009-07-06 12:18:18 Doing Diffie-Hellman group exchange
2009-07-06 12:18:20 Doing Diffie-Hellman key exchange with hash SHA-256
2009-07-06 12:18:21 Host key fingerprint is:
2009-07-06 12:18:21 ssh-rsa ####################
2009-07-06 12:18:21 Initialised AES-256 SDCTR client->server encryption
2009-07-06 12:18:21 Initialised HMAC-SHA1 client->server MAC algorithm
2009-07-06 12:18:21 Initialised AES-256 SDCTR server->client encryption
2009-07-06 12:18:21 Initialised HMAC-SHA1 server->client MAC algorithm
2009-07-06 12:18:32 Sent password
2009-07-06 12:18:33 Access granted
2009-07-06 12:18:35 Opened channel for session
2009-07-06 12:18:35 Local port 3306 forwarding to 74.207.227.156:3306
2009-07-06 12:18:36 Allocated pty (ospeed 38400bps, ispeed 38400bps)
2009-07-06 12:18:37 Started a shell/command
2009-07-06 12:18:49 Opening forwarded connection to 74.207.227.156:3306
2009-07-06 12:18:49 Forwarded connection refused by server: Connect failed [Connection refused]
11 Replies
Joe
@NancyJ:
um, I assume so - if connections weren't allowed locally, it wouldn't work, would it? Its working - I have php/mysql websites working using it.
MySQL localhost access uses sockets by default so the fact that PHP is accessing the databases does not mean that network connections are allowed.
#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/english
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
#
# * Fine Tuning
#
key_buffer = 16M
max_allowed_packet = 16M
thread_stack = 128K
thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover = BACKUP
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
query_cache_limit = 1M
query_cache_size = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
#log = /var/log/mysql/mysql.log
#
# Error logging goes to syslog. This is a Debian improvement :)
#
# Here you can see queries with especially long duration
#log_slow_queries = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = include_database_name
#
# * BerkeleyDB
#
# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
skip-bdb
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
#skip-innodb
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
#no-auto-rehash # faster start of mysql but no tab completition
[isamchk]
key_buffer = 16M
#
# * NDB Cluster
#
# See /usr/share/doc/mysql-server-*/README.Debian for more information.
#
# The following configuration is read by the NDB Data Nodes (ndbd processes)
# not from the NDB Management Nodes (ndb_mgmd processes).
#
# [MYSQL_CLUSTER]
# ndb-connectstring=127.0.0.1
#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/
As I understand it, bind-address = 127.0.0.1 means it should be accepting local connections?
@NancyJ:
As I understand it, bind-address = 127.0.0.1 means it should be accepting local connections?
Correct - so that's not the problem.
Your putty log reports
Opening forwarded connection to 74.207.227.156:3306
so the connection is being refused because MySQL is only listening on the loopback interface. Since I don't use putty, I'm not sure why this is.
For the local MySQL client, it obviously connects to 127.0.0.1 because that's where you're forwarding to.
For the remote endpoint, you're telling the SSH server where to connect to, which from the server's perspective, is 127.0.0.1.
So you'd want to tell Putty to forward port 3306 to 127.0.0.1:3306
It looks to me like you're telling your remote server to tunnel to your internet-facing IP, which isn't listening for MySQL connections, and that's why you're having issues.
Thanks a lot.