SSH Tunnelling Mysql

I want to access mysql on my linode from my local computer. I don't want just anyone to access my mysql server from anywhere.

I used putty to set up port forwarding to forward my local port 3306 to my remote host port 3306, but when I try to connect to mysql I get 'connection refused' in the putty log. The mysql connect error is 'Lost connection to mysql server during query'

This is my putty event log

2009-07-06 12:18:16    Looking up host "74.207.227.156"
2009-07-06 12:18:16    Connecting to 74.207.227.156 port 22
2009-07-06 12:18:17    Server version: SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-07-06 12:18:17    We claim version: SSH-2.0-PuTTY_Release_0.59
2009-07-06 12:18:17    Using SSH protocol version 2
2009-07-06 12:18:18    Doing Diffie-Hellman group exchange
2009-07-06 12:18:20    Doing Diffie-Hellman key exchange with hash SHA-256
2009-07-06 12:18:21    Host key fingerprint is:
2009-07-06 12:18:21    ssh-rsa ####################
2009-07-06 12:18:21    Initialised AES-256 SDCTR client->server encryption
2009-07-06 12:18:21    Initialised HMAC-SHA1 client->server MAC algorithm
2009-07-06 12:18:21    Initialised AES-256 SDCTR server->client encryption
2009-07-06 12:18:21    Initialised HMAC-SHA1 server->client MAC algorithm
2009-07-06 12:18:32    Sent password
2009-07-06 12:18:33    Access granted
2009-07-06 12:18:35    Opened channel for session
2009-07-06 12:18:35    Local port 3306 forwarding to 74.207.227.156:3306
2009-07-06 12:18:36    Allocated pty (ospeed 38400bps, ispeed 38400bps)
2009-07-06 12:18:37    Started a shell/command
2009-07-06 12:18:49    Opening forwarded connection to 74.207.227.156:3306
2009-07-06 12:18:49    Forwarded connection refused by server: Connect failed [Connection refused]

11 Replies

Try using host as 127.0.0.1 not 74.207.227.156

Joe

Hi Joe, I'm not sure I understand what you're asking, 74.207.227.156 is the remote host, if I use 127.0.0.1 instead, then I'll be connecting to my local machine.

You're not understanding the point of ssh tunnelling, you're supposed to connect to your local machine. ssh is forwarding the traffic on that port to the remote host. In your mysql client, you need to connect to 127.0.0.1.3306 and let ssh forward that traffic to the remote host.

In my mysql client I am connecting to my local machine and the port is forwarding to the remote server - its there in the log but the connection is being refused.

On the remote machine, do you have mysql set to allow connections locally?

um, I assume so - if connections weren't allowed locally, it wouldn't work, would it? Its working - I have php/mysql websites working using it.

@NancyJ:

um, I assume so - if connections weren't allowed locally, it wouldn't work, would it? Its working - I have php/mysql websites working using it.
MySQL localhost access uses sockets by default so the fact that PHP is accessing the databases does not mean that network connections are allowed.

This is my my.conf

#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
# 
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port        = 3306
socket        = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket        = /var/run/mysqld/mysqld.sock
nice        = 0

[mysqld]
#
# * Basic Settings
#
user        = mysql
pid-file    = /var/run/mysqld/mysqld.pid
socket        = /var/run/mysqld/mysqld.sock
port        = 3306
basedir        = /usr
datadir        = /var/lib/mysql
tmpdir        = /tmp
language    = /usr/share/mysql/english
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address        = 127.0.0.1
#
# * Fine Tuning
#
key_buffer        = 16M
max_allowed_packet    = 16M
thread_stack        = 128K
thread_cache_size    = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover        = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10
#
# * Query Cache Configuration
#
query_cache_limit       = 1M
query_cache_size        = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
#log        = /var/log/mysql/mysql.log
#
# Error logging goes to syslog. This is a Debian improvement :)
#
# Here you can see queries with especially long duration
#log_slow_queries    = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id        = 1
#log_bin            = /var/log/mysql/mysql-bin.log
expire_logs_days    = 10
max_binlog_size         = 100M
#binlog_do_db        = include_database_name
#binlog_ignore_db    = include_database_name
#
# * BerkeleyDB
#
# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
skip-bdb
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
#skip-innodb
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem

[mysqldump]
quick
quote-names
max_allowed_packet    = 16M

[mysql]
#no-auto-rehash    # faster start of mysql but no tab completition

[isamchk]
key_buffer        = 16M

#
# * NDB Cluster
#
# See /usr/share/doc/mysql-server-*/README.Debian for more information.
#
# The following configuration is read by the NDB Data Nodes (ndbd processes)
# not from the NDB Management Nodes (ndb_mgmd processes).
#
# [MYSQL_CLUSTER]
# ndb-connectstring=127.0.0.1

#
# * IMPORTANT: Additional settings that can override those from this file!
#   The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/

As I understand it, bind-address = 127.0.0.1 means it should be accepting local connections?

@NancyJ:

As I understand it, bind-address = 127.0.0.1 means it should be accepting local connections?
Correct - so that's not the problem.

Your putty log reports Opening forwarded connection to 74.207.227.156:3306 so the connection is being refused because MySQL is only listening on the loopback interface. Since I don't use putty, I'm not sure why this is.

It was never addressed, but I thought I'd point out that when SSH tunneling, BOTH The local and remote endpoint of the SSH tunnel need to be localhost (127.0.0.1).

For the local MySQL client, it obviously connects to 127.0.0.1 because that's where you're forwarding to.

For the remote endpoint, you're telling the SSH server where to connect to, which from the server's perspective, is 127.0.0.1.

So you'd want to tell Putty to forward port 3306 to 127.0.0.1:3306

It looks to me like you're telling your remote server to tunnel to your internet-facing IP, which isn't listening for MySQL connections, and that's why you're having issues.

Yay, it works. I thought I tried that when Joe tried to suggest it (but not as clearly as you did) and iirc it just hung, maybe I was having internet connection issues at the time.

Thanks a lot.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct