This repository has been archived by the owner on Apr 26, 2022. It is now read-only.
MW283 Enable (safe) remote access to MySQL #152
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
As a MWS Server Admin
I want to be able to access my MySQL database remotely
So that I can manage data in the database using local tools
This was prompted by a request from Jenny Barna ([email protected]) who wants to access her database from Access on a Windows box using ODBC.
I see three issues:
It exposes the MySQL daemon to the Internet. It would be a bad idea to do this for sites that don't want to access it remotely since it exposes them to any security vulnerabilities it may contain without any corresponding gain.
MySQL users can have associated passwords and can be restricted so that they can't be be used over a network connection (e.g. CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';). However the easy default is to create a user with no password that can be used from anywhere (e.g. CREATE USER 'jeffrey;'). Combined with a MySQL daemon listening for connections from the entire Internet this is obviously bad.
Default MySQL network connections provide no integrity or confidentially guarantees, so data in transit can be snooped and is subject to man-in-the-middle attacks. This data includes the username and password used to authenticate the connection. This is unlikely to be satisfactory for connections across the wider Internet, and is arguably unsatisfactory for cross-CUDN connections. MySQL does support connections over TLS, but that at least requires each MySQL daemon to be equiped with its own TLS certificate.
The text was updated successfully, but these errors were encountered: