Comments on: Secure mysql replication between colos over an ssh tunnel http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/ A blog about killer code Tue, 06 Jan 2009 04:46:26 +0000 http://wordpress.org/?v=2.6.3 By: PHP Programming India http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/#comment-243 PHP Programming India Wed, 15 Oct 2008 11:49:05 +0000 http://www.jaisenmathai.com/blog/?p=37#comment-243 Very informative. Thanks for the information! Raj Malhotra PHP Programming India Very informative. Thanks for the information!

Raj Malhotra
PHP Programming India

]]> By: jaisen http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/#comment-242 jaisen Mon, 13 Oct 2008 20:53:35 +0000 http://www.jaisenmathai.com/blog/?p=37#comment-242 @Tom, Thanks for pointing that out - I'll add that option to the post. While this addresses #1 and #3, there's still security to be gained by not having mysql listening publicly. I'm assuming that there's some ssh entry point to the machine (if not directly through a firewall). So having ssh open on some port is a given. The more applications you have listening publicly the more chances you have for being exploited. Note, I'm not saying Apache is (or isn't) more secure than MySql, but the more entry points the more likely something can happen. Personally, I prefer ports 80, 443 and a non standard port for ssh. @Tom, Thanks for pointing that out - I’ll add that option to the post. While this addresses #1 and #3, there’s still security to be gained by not having mysql listening publicly.

I’m assuming that there’s some ssh entry point to the machine (if not directly through a firewall). So having ssh open on some port is a given. The more applications you have listening publicly the more chances you have for being exploited. Note, I’m not saying Apache is (or isn’t) more secure than MySql, but the more entry points the more likely something can happen.

Personally, I prefer ports 80, 443 and a non standard port for ssh.

]]> By: Tom http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/#comment-241 Tom Mon, 13 Oct 2008 20:04:08 +0000 http://www.jaisenmathai.com/blog/?p=37#comment-241 Built in MySQL encryption: http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html Having port 3306 open is probably just as secure or insecure as having a random ssh port open somewhere. Built in MySQL encryption: http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html

Having port 3306 open is probably just as secure or insecure as having a random ssh port open somewhere.

]]> By: jaisen http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/#comment-240 jaisen Sat, 11 Oct 2008 05:46:27 +0000 http://www.jaisenmathai.com/blog/?p=37#comment-240 @Brandon, Thanks for the tips. I'll definitely check out the two posts you mentioned (and subscribe via RSS). @Brandon, Thanks for the tips. I’ll definitely check out the two posts you mentioned (and subscribe via RSS).

]]> By: jaisen http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/#comment-239 jaisen Sat, 11 Oct 2008 05:45:25 +0000 http://www.jaisenmathai.com/blog/?p=37#comment-239 @Tom, not sure what built in encryption support you're referring to. Even if MySql did have some sort of encryption support this method still allows you to keep MySql from listening publicly on port 3306. @Tom, not sure what built in encryption support you’re referring to. Even if MySql did have some sort of encryption support this method still allows you to keep MySql from listening publicly on port 3306.

]]> By: Tom http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/#comment-238 Tom Sat, 11 Oct 2008 01:30:53 +0000 http://www.jaisenmathai.com/blog/?p=37#comment-238 Or, you could just use MySQL's built in encryption support... What is the point of this? Or, you could just use MySQL’s built in encryption support…

What is the point of this?

]]> By: Brandon Checketts http://www.jaisenmathai.com/blog/2008/10/10/secure-mysql-replication-between-colos-over-an-ssh-tunnel/#comment-237 Brandon Checketts Sat, 11 Oct 2008 00:32:30 +0000 http://www.jaisenmathai.com/blog/?p=37#comment-237 Hi. Glad that you find my instructions helpful. I have been running a server like this with tunnels to 3 other servers for several months now and it works very well. The only thing I have noticed, is that if the connection between the server goes down for a while, then there can get to be multiple 'check_tunnel' scripts running that have to be killed manually. Other than that, I've had the connection between the servers die multiple times, and replication always starts right back up. You might also be interested in the script I created to <a href="http://www.brandonchecketts.com/archives/checking-mysql-replication" rel="nofollow">Monitor the replication</a> to ensure that it doesn't get behind. Also, you'll want to <a href="http://www.brandonchecketts.com/archives/compression-for-mysql-replication" rel="nofollow">Enable replication compression</a> between those servers to minimize the bandwidth used. Hi. Glad that you find my instructions helpful. I have been running a server like this with tunnels to 3 other servers for several months now and it works very well.

The only thing I have noticed, is that if the connection between the server goes down for a while, then there can get to be multiple ‘check_tunnel’ scripts running that have to be killed manually. Other than that, I’ve had the connection between the servers die multiple times, and replication always starts right back up.

You might also be interested in the script I created to Monitor the replication to ensure that it doesn’t get behind.

Also, you’ll want to Enable replication compression between those servers to minimize the bandwidth used.

]]>