Re: [Shorewall-users] Security question around MySQL Replication

Mon, 11 Sep 2017 10:04:22 -0700 

Both are good suggestions: block all IP addresses at the firewall except your 
slave,
configure MySQL SSL.  See:
https://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg20502.html

Of course, you'll have to create the certificates and tweak the values in the
CHANGE MASTER.

Bill

On 9/11/2017 8:59 AM, Dominic Benson wrote:

On 11/09/17 13:49, Phil Stracchino wrote:

On 09/11/17 07:29, Davide Marchi wrote:

Hi friends,

I've enabled between two servers (VPS Debian Jessie), the MySQL
Replication feature.
For this I've open the "3306" port.


My question: is this a safe operation or should I also do something
other for improve the firewall level, always without the risk or
compromising communication between the two servers?

If your replication traffic goes outside your firewall, consider
requiring SSL on the replication connection.  You will have to configure
this on both the master and the slave.



If reconfiguring mysqld on the primary is too high-impact for you, you
could use stunnel (or similar), which would be almost transparent [just
a change master on the replica].

If you haven't already (not sure from the wording of your original post)
you should also restrict the rule to just the source IP of the replica,
otherwise you're bound to get a lot of attempts to break in to the database.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to