Let's say I have a server with an SQL Database somewhere on the other side of the planet. Is it safe to establish a connection over the Internet? e.g. with MySQL Workbench.
I'm asking because I heard that connections to servers, particularly using said software, are by default unencrypted. If I force SSL for every remote connection, what risks remain? Is an open MySQL port a security risk in itself?
Best Answer
The MySQL Reference Manual has a whole Chapter 6 for Security.
First, you shouldn't allow connections from anywhere over the internet, but only from the known trusted hosts. While the user also have list of allowed hosts, 6.1.1 Security Guidelines suggests doing this on firewall level, before the hosts even gets connected to your MySQL Server (default port
3306). This increases security as it also prevents using any potential exploits.If you really need to have direct connection between your local Workbench and remote MySQL Server, Use Secure Connections. But there are other ways of securing the connection to your SQL server, too. Considering the effort needed for the access control and securing the SQL connection with OpenSSL, they are much more practical:
Use a SSH tunnel and you can connect your MySQL server just like the Workbench was there. This example binds local port
13306and tunnel connections tolocalhost:3306on remote side:Use VPN and allow connections from the internal VPN network only.
With both of these approaches you can bind MySQL to
localhostonly; it's the most secure option.