0

I manage to use a PHP script to connect my web page to a remote MySQL Server, but this requires port 3306 on the remote server to be open, which is a security concern. I need this functionality for my web site visitors, which of course eliminates the idea of allowing some predefined IP addresses.

So, how can I go about it, maybe with something like SSH Tunnelling?

Thanks Alex

Alex Evans
  • 3
  • 7
  • 1
    You need your site visitors to have direct access to a remote MySQL? What is doing to the connecting to the remote MySQL service, your PHP application code, or your visitors' clients? If it is your application code, then it is the _web server's IP address_ that is connecting, which can be reliably limited. – Michael Berkowski Jun 06 '14 at 02:44
  • But still, that is [insecure without SSL](http://dev.mysql.com/doc/refman/5.1/en/ssl-connections.html) and you may use an SSH tunnel between the machines. – Michael Berkowski Jun 06 '14 at 02:45
  • MySQL can be compiled for SSL: https://dev.mysql.com/doc/refman/5.0/en/ssl-connections.html – fin Jun 06 '14 at 02:45
  • I only want my web server to interact with the remote MySQL server database. Assume my server is at 198.103.24.15 for example. MySQL server runs on a Windows Server 2008. What do I do to open port 3306 and restrict it to my web site only? – Alex Evans Jun 06 '14 at 08:51

1 Answers1

0

Personally, I've found that the best way for me that provides a good balance of security and performance, is to have port 3306 open but set a firewall rule restricting access to my web server's IP address.

You can use IP Tables to filter network traffic with a rule like this:

iptables -I INPUT -p tcp -s [WEBSERVER IP ADDRESS] --dport 3306 -j ACCEPT

You could combine that with connecting to the mysql server securely, as well if you want the data encrypted during its trip from the MySQL server to the web server. See this Stackoverflow article: Securing remote mysql connection

Community
  • 1
  • 1
mifi79
  • 1,086
  • 6
  • 8
  • I only want my web server to interact with the remote MySQL server database. Assume my server is at 198.103.24.15 for example. MySQL server runs on a Windows Server 2008. What do I do to open port 3306 and restrict it to my web site only? – Alex Evans Jun 06 '14 at 08:53
  • Yes, that is exactly what you do. As for Windows Firewall setting, it won't be iptables, so you'd need to look into how to set that. – mifi79 Jun 06 '14 at 14:12