Comments on: Tool of the day: autossh

By: Justin Noel

Justin Noel — Thu, 16 Sep 2010 16:52:40 +0000

You might be interested in this post about using SSH to keep database replication up and running.

http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/

Be sure to read the comments as there are some improvements / modifications to the original script.

As for those dissing the use of SSH, sometimes there is no choice. Quite often, we don’t have the luxury of VPN connections because of internal restrictions.

In those cases, with prudent use of SSH and limiting source IP addresses, you can have a quite secure method of accessing databases from other servers.

By: shlomi

shlomi — Mon, 13 Sep 2010 15:36:05 +0000

@Dave,
Care to explain why, or what you would do differently?

By: Dave

Dave — Mon, 13 Sep 2010 15:13:47 +0000

If you are still using SSH tunnels in your $JOB then you are doing it wrong.

By: shlomi

shlomi — Mon, 13 Sep 2010 09:52:35 +0000

Agree on VPN, whenever possible
I know a sys admin or two who would not open 3306 to anyone, if it cost them their job 🙂

I suppose the last paragraph makes for an entirely separate discussion, on how best to connect to mysql remotely.

By: Matic

Matic — Mon, 13 Sep 2010 09:17:26 +0000

There is nothing wrong or risky with opening tcp/3306 on the firewall, as long as you limit the source IP address(es).

Also what Mark said.

By: Mark R

Mark R — Mon, 13 Sep 2010 09:07:26 +0000

Call me old-fashioned, but if you have a significant infrastructure, why not use a VPN? Then all your servers would be able to safely communicate and you can set up grants for private IP addresses that you know attackers can’t use and set up firewalls accordingly.