Maybe I’m like an old replication server, lagging way behind, but a couple of weeks ago I found autossh, which is a wrapper around ssh, that keeps reconnecting the session if it breaks.
With public key encryption, I am now able to work out pretty reliable SSH tunneling among servers, which doesn’t break. It seems to be working well during these couple of weeks. And it’s in my favorite distro’s repository 🙂
I suppose use cases are as many as those for SSH or SSH tunneling, and I’m putting it to an interesting use. But I suppose the most obvious use in the MySQL world would be to encrypt client connections over unsafe network, or make the network more reliable, for that matter. Yes, there’s SSL connections, but opening your 3306 port on your firewall? Too risky for my taste.
Call me old-fashioned, but if you have a significant infrastructure, why not use a VPN? Then all your servers would be able to safely communicate and you can set up grants for private IP addresses that you know attackers can’t use and set up firewalls accordingly.
There is nothing wrong or risky with opening tcp/3306 on the firewall, as long as you limit the source IP address(es).
Also what Mark said.
Agree on VPN, whenever possible
I know a sys admin or two who would not open 3306 to anyone, if it cost them their job 🙂
I suppose the last paragraph makes for an entirely separate discussion, on how best to connect to mysql remotely.
If you are still using SSH tunnels in your $JOB then you are doing it wrong.
@Dave,
Care to explain why, or what you would do differently?
You might be interested in this post about using SSH to keep database replication up and running.
http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/
Be sure to read the comments as there are some improvements / modifications to the original script.
As for those dissing the use of SSH, sometimes there is no choice. Quite often, we don’t have the luxury of VPN connections because of internal restrictions.
In those cases, with prudent use of SSH and limiting source IP addresses, you can have a quite secure method of accessing databases from other servers.