mySQL Windows GUI Client?
I followed the LAMP install guide. I noticed that the "recommended setting" is to block Internet access for the root account.
How do I set things up so I can use the Windows mySQL GUI client, without opening up a potential security flaw?
Should I use phpmyadmin? Isn't that a potential security risk?
12 Replies
MySQL Workbenchtunnel the connection over ssh
Someone should update the LAMP install guide to make that bit clearer.
this page
Do I set up the new_user account so that it's only accessible on localhost? Or, do I set it up so that it's accessible anywhere? I assume localhost, because the connection goes through the tunnel?
GRANT ALL PRIVILEGES ON database.* TO 'user_name'@'192.168.1.50' IDENTIFIED BY 'password';
Replace database, user_name (single-quote needed), and 192.168.1.50 (single quotes needed) as needed. The 'IDENTIFIED BY 'password'' bit is only needed if the database user you're using doesn't already exist (if he does, you don't need the 'IDENTIFIED BY' part since he already exists with a password, you're just giving the user permission to log in from IP address 192.168.1.50).
If your access computer's IP address is dynamic (it changes every so often), then doing this is a BAD idea.
Unfortunately, since I don't use Windows, I can't offer any other suggestions. phpMyAdmin can be a security risk, though it should be fine IF AND ONLY IF you use a very strong password for your databases root user and normal user, and you keep phpMyAdmin up to date, though if you're able to go through an ssh tunnel and you don't need to give database access to anybody else, the ssh tunnel would definitely be the best option.
@Piki:
If your access computer's IP address is dynamic (it changes every so often), then doing this is a BAD idea.
I think it's a bad idea to open direct connections to mysql at all. IIRC, by default connections to mysql are unencrypted - meaning it wouldn't be difficult for someone to eavesdrop on the connection.
@fsk, yes, only allow from localhost if you're going to be tunneling.
Also, if you choose to use phpMyAdmin… as Piki said, use strong passwords and keep it updated. Also limit where phpMyAdmin can be accessed from and use https otherwise your super secure password will be sent in the clear.
I have another security question.
I'm confused about when I was configuring PuTTY. What prevents someone else from downloading PuTTY, and attempting to connect to my Linode as root?
@fsk:
I have a dynamic IP, so that's out. I'll go with tunneling.
I have another security question.
I'm confused about when I was configuring PuTTY. What prevents someone else from downloading PuTTY, and attempting to connect to my Linode as root?
nothing. that's why you should not allow root to connect via ssh ever. you should also (if possible) only allow certificates via ssh, not passwords
@fsk:
What's the proper way to secure the root account? Where is the guide for this?
/etc/ssh/sshd_config
find PermitRootLogin and set to no
General SSH options:
SSH Key Auth:
If you set up SSH to only allow key authentication, only people with your specific SSH key file can connect, even if they know your password. On Windows, I personally run a VirtualBoxPuttygen tool
It'll take you a little while to get set up, but once you have it figured out, you'll have rock-solid SSH security
And as other users have mentioned, there are zero good reasons to allow direct MySQL connections. It sounds like MySQL does have built-in SSH support