-----------Bill Shirley---------------------
Il 2017-09-11 19:01 Bill Shirley ha scritto:
Both are good suggestions: block all IP addresses at the firewall
except your slave,
configure MySQL SSL. See:
https://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg20502.html
Of course, you'll have to create the certificates and tweak the
values in the
CHANGE MASTER.
Bill
[..]
-----------Phil Stracchino-------------------
If your replication traffic goes outside your firewall, consider
requiring SSL on the replication connection. You will have to
configure
this on both the master and the slave.
Thanks Bill and Phil you're perfectly right, in fact I have already
configured (initially) both the SSL connection and the SSL user!
-----------Dominic Benson-------------------
[..]
If you haven't already (not sure from the wording of your original
post)
you should also restrict the rule to just the source IP of the
replica,
otherwise you're bound to get a lot of attempts to break in to the
database.
I have not thought about this, the following example (my servers are
directly connected to the net) could go?
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT
GROUP
ACCEPT net:1.2.3.4 fw tcp 3306
many many thanks to all!
Davide
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users