PDA

View Full Version : Mysql Remote Access


fivefeet8
01-23-07, 02:41 PM
When you connect to a remote Mysql Database using a PHP script located on another webserver, does the database recieve information about the other webserver's IP, or does it recieve the user's IP.

For example, a PHP script will be accessing 2 databases to retrieve data and display it to a logged in(using sessions) user. 1 database will be local to the script, but the other will not.

Is it possible to permit access to a remote mysql database by only where the script is running from?

evilghost
01-23-07, 02:48 PM
PHP is server-side, as a result the connection to the remote MySQL server will be made by the PHP webserver, not from the HTTP REMOTE_ADDR.

I'd just an iptables script to block access.

Assuming you're default INPUT policy is ACCEPT and mysql is listening on TCP 3306:

iptables -A INPUT -p tcp --dport 3306 -s ! PHP_webserver_ip -j DROP

Assuming you're default INPUT policy is DROP and mysql is listening on TCP 3306:

iptables -A INPUT -p tcp --dport 3306 -s PHP_webserver_ip -j ACCEPT

fivefeet8
01-23-07, 02:58 PM
Thanks. That makes it a bit easier to secure the remote Mysql Database. So does that mean that anyone logging in to the webhost running the PHP scripts will be able to access the remote mysql Database? From the sound of it, it should right?

evilghost
01-23-07, 03:04 PM
Thanks. That makes it a bit easier to secure the remote Mysql Database. So does that mean that anyone logging in to the webhost running the PHP scripts will be able to access the remote mysql Database? From the sound of it, it should right?

They will have rights to connect to MySQL on the protocol/service level but will not have rights to the database unless they are authenticating with the same database username/password. Access to MySQL database objects (databases, tables, rights, etc) are controlled by the MySQL GRANT statement.

Basically, it's two methods of security.

1) Port security, only permit the web host to connect to MySQL. This keeps the script kiddies at bay and is good security.

2) Actual MySQL authentication.

fivefeet8
01-23-07, 03:10 PM
Thanks again.

evilghost
01-23-07, 03:13 PM
Thanks again.

Glad to help :)

sm0ke
03-09-07, 03:17 AM
well, this is a bit besides the thread topic, but the default policy should always be DROP, followed by adding ACCEPT rules.