MySQL Port Security

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
Swede78
Forum Contributor
Posts: 198
Joined: Wed Mar 12, 2003 12:52 pm
Location: IL

MySQL Port Security

Post by Swede78 »

The small company I work for has a dedicated server. This server is an all-in-one unit for our business... websites, database, email, etc. A trusted company bought a division of our company and wants to know if we can open a port to the MySQL database. It has no open ports now, as we never needed it. All queries were done from the server itself via php. But, they want to be able to communicate with the MySQL database directly, and not through a webpage.

What is the security risk in this? All users and permissions are setup correctly. My only concern is that a port would have to be opened on our hardware firewall. There is sensitive data on our server, encrypted, but still sensitive.

My options are to open a port to MySQL and let them connect directly. Or I can tell them they'll have to get there own server if they want to do that. Or, they'll have to stick with using php to access the db.

Thank you, Swede
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd tell them "you are SOL on that."

Give them a copy of the data they purchased the rights to, and that's it. Cut all ownership of that data. Let them build their own server.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

If they have the rights blah blah, you can always setup a SSL tunnel.. and let them talk into that...

http://dev.mysql.com/doc/mysql/en/secure-basics.html
Swede78
Forum Contributor
Posts: 198
Joined: Wed Mar 12, 2003 12:52 pm
Location: IL

Post by Swede78 »

Thanks... I was kind of leaning towards telling them to move their site/database to another server if they want to do that. This is on a Windows machine, so SSL isn't set-up by default. That is an option though. I'm not too familiar with SSL for Windows, so that may be more trouble than it's worth. But, I appreciate the suggestion.

With MySQL 4.0.23, I've read that opening a port to it is of minimal risk. I thought there was also a way to limit connections to only certain IPs.

It sounds like most people wouldn't take the risk... that is probably the best solution. Thanks.
Swede78
Forum Contributor
Posts: 198
Joined: Wed Mar 12, 2003 12:52 pm
Location: IL

Post by Swede78 »

It just hit me... I was thinking of SSH, not SSL. I'll check that link out.
Post Reply