Page 1 of 1

remote database access and security issues

Posted: Fri Oct 08, 2004 8:11 am
by beserker
Hi

I'm thinking of using a database on a client's premesis (i.e. remotely) from my website code. I need to do this because the EPOS system needs to be on the same LAN as the database in order for it to send sales details to the database.

If anyone's done anything like this i'd like to hear about it - what are the security implications of having the MySql DB accessible from the Internet? is there some kind of secure protocol I could use?

Would it be feasible to run the web server on the office network (same machine as the MySql) and run the website over a 512KB ADSL connection? I've been told that opening port 80 to the internet invites a constant stream of hacking attempts, is this true?

can anyone suggest an alternative solution?

Thanks in advance

Posted: Fri Oct 08, 2004 9:30 am
by infolock
well, if it's the same EPOS that i wrote, I have a good idea of what you are asking. This was the same problem I had, but if you use precaution and proper security measures, you will be fine. you have to understand though. once you allow the lan to be accessable to the net, it's open for game by a lot of hackers IF they know it exists in the first place. but if you can make sure your client does not speak of it and you do not give someone an account/access to the box nor let anyone else know where/if it exists, that in itself is a nice precaution. otherwise, you may want to setup a router that will only forward data to that lan from a specific IP (ie your box, your client's box, or whatever box it is that will be preforming any actions). of course, if you dno't know how to configure a router, that may lead to a serious problem or at least some more time for researching..

all in all, the database connection you are speaking of is secure due to mysql's built-in security.. however, as with anything on the market, nothing is 100% secure, so you must take the appropriate steps to secure where the application fails, thus my recommendation for a router. a firewall and maybe more server-side security permission settings may be in effect for you.

use lower-level accounts to access the database and the server as well. you won't want to access the server with administrative rights of course as then you really are asking for trouble.

hope this helps.

Re: remote database access and security issues

Posted: Fri Oct 08, 2004 10:39 am
by Weirdan
beserker wrote: If anyone's done anything like this i'd like to hear about it - what are the security implications of having the MySql DB accessible from the Internet? is there some kind of secure protocol I could use?
As with any other service open to the net it introduces one more place to look over. Basically you need to make sure the following:
  • only selected hosts are allowed to access your db
  • host which access the db is indeed that host which allowed to do so
  • noone can tamper with the data flowing between db client and db server
  • noone can drop an eye on that dataflow
Although MySQL can be configured to use SSL certificates, last time I checked it uses it only for authentication and does not encrypt the channel.

I would recommend to setup ssh tunnel between your db client and db server, that would meet last three requirements mentioned above. Then set MySQL user accounts to only allow users from localhost and that would meet the first requirement (users coming through ssh tunnel would appear as users from localhost to MySQL). Additionally you may limit the list of hosts allowed to set the tunnel in via authorized_keys file.

This way your db is secure as long as private key for ssh tunnel is kept secure.