Re: [Shorewall-users] Security question around MySQL Replication
---Bill Shirley- Il 2017-09-11 19:01 Bill Shirley ha scritto: Both are good suggestions: block all IP addresses at the firewall except your slave, configure MySQL SSL. See: https://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg20502.html Of course, you'll have to create the certificates and tweak the values in the CHANGE MASTER. Bill [..] ---Phil Stracchino--- If your replication traffic goes outside your firewall, consider requiring SSL on the replication connection. You will have to configure this on both the master and the slave. Thanks Bill and Phil you're perfectly right, in fact I have already configured (initially) both the SSL connection and the SSL user! ---Dominic Benson--- [..] If you haven't already (not sure from the wording of your original post) you should also restrict the rule to just the source IP of the replica, otherwise you're bound to get a lot of attempts to break in to the database. I have not thought about this, the following example (my servers are directly connected to the net) could go? # http://www.shorewall.net/manpages/shorewall-rules.html # #ACTIONSOURCEDESTPROTODESTSOURCE ORIGINALRATEUSER/MARKCONNLIMITTIME #PORTPORT(S)DESTLIMIT GROUP ACCEPTnet:1.2.3.4fwtcp3306 many many thanks to all! Davide -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Security question around MySQL Replication
Both are good suggestions: block all IP addresses at the firewall except your slave, configure MySQL SSL. See: https://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg20502.html Of course, you'll have to create the certificates and tweak the values in the CHANGE MASTER. Bill On 9/11/2017 8:59 AM, Dominic Benson wrote: On 11/09/17 13:49, Phil Stracchino wrote: On 09/11/17 07:29, Davide Marchi wrote: Hi friends, I've enabled between two servers (VPS Debian Jessie), the MySQL Replication feature. For this I've open the "3306" port. My question: is this a safe operation or should I also do something other for improve the firewall level, always without the risk or compromising communication between the two servers? If your replication traffic goes outside your firewall, consider requiring SSL on the replication connection. You will have to configure this on both the master and the slave. If reconfiguring mysqld on the primary is too high-impact for you, you could use stunnel (or similar), which would be almost transparent [just a change master on the replica]. If you haven't already (not sure from the wording of your original post) you should also restrict the rule to just the source IP of the replica, otherwise you're bound to get a lot of attempts to break in to the database. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Security question around MySQL Replication
On 11/09/17 13:49, Phil Stracchino wrote: > On 09/11/17 07:29, Davide Marchi wrote: >> Hi friends, >> >> I've enabled between two servers (VPS Debian Jessie), the MySQL >> Replication feature. >> For this I've open the "3306" port. >> >> >> My question: is this a safe operation or should I also do something >> other for improve the firewall level, always without the risk or >> compromising communication between the two servers? > If your replication traffic goes outside your firewall, consider > requiring SSL on the replication connection. You will have to configure > this on both the master and the slave. > > If reconfiguring mysqld on the primary is too high-impact for you, you could use stunnel (or similar), which would be almost transparent [just a change master on the replica]. If you haven't already (not sure from the wording of your original post) you should also restrict the rule to just the source IP of the replica, otherwise you're bound to get a lot of attempts to break in to the database. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Security question around MySQL Replication
On 09/11/17 07:29, Davide Marchi wrote: > Hi friends, > > I've enabled between two servers (VPS Debian Jessie), the MySQL > Replication feature. > For this I've open the "3306" port. > > > My question: is this a safe operation or should I also do something > other for improve the firewall level, always without the risk or > compromising communication between the two servers? If your replication traffic goes outside your firewall, consider requiring SSL on the replication connection. You will have to configure this on both the master and the slave. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users