[Maria-discuss] Parallel Databases and network security
Is there a way to hot copy a database from one machine to another and restrict network access to only between those two machines without using a firewall? Ruben -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Hi, Ruben! On Jan 12, Ruben Safir wrote:
Is there a way to hot copy a database from one machine to another and restrict network access to only between those two machines without using a firewall?
Hot copy? mariabackup, for example. Restrict network access? Specify the correct peer ip address or a host name when creating a user. Regards, Sergei Chief Architect MariaDB and security@mariadb.org
On Mon, Jan 15, 2018 at 08:55:44PM +0100, Sergei Golubchik wrote:
Hi, Ruben!
On Jan 12, Ruben Safir wrote:
Is there a way to hot copy a database from one machine to another and restrict network access to only between those two machines without using a firewall?
Hot copy? mariabackup, for example.
I think I want a hot copy. For years I've run my custom mailing list set up on mysql on the local box with apache. I migrated resently to a new box and new OS (artix with openrc). I wrote the new init scripts but I decided to seperate the mailing list, and the database from the webserver. And I closed down IP coonections, just because I got sick of the port being hammered. Now, I had two choices, to change the software to talk across the open local area network, and move the database to the webserver... or hot copy, which I know maria has been able to do for a while, but I never implimented it. But i want to do this and restrict connections to the internal network. It is easy enough to justblock the external ports but I would rather do this through the database.
Restrict network access? Specify the correct peer ip address or a host name when creating a user.
Regards, Sergei Chief Architect MariaDB and security@mariadb.org
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Am 15.01.2018 um 23:31 schrieb Ruben Safir:
Now, I had two choices, to change the software to talk across the open local area network, and move the database to the webserver... or hot copy, which I know maria has been able to do for a while, but I never implimented it. But i want to do this and restrict connections to the internal network. It is easy enough to justblock the external ports but I would rather do this through the database.
but it is pretty dumb have mysqld reachable on the WAN because you expose every future CVE for no good reason
Restrict network access? Specify the correct peer ip address or a host name when creating a user
the IP - security based on PTR records and rely on name-resolution is a bad idea, anyways one needs still tell me one sane reason why do ip restrictions in the atatcked application instead the networklayer in front of
On Tue, Jan 16, 2018 at 01:14:00AM +0100, Reindl Harald wrote:
Am 15.01.2018 um 23:31 schrieb Ruben Safir:
Now, I had two choices, to change the software to talk across the open local area network, and move the database to the webserver... or hot copy, which I know maria has been able to do for a while, but I never implimented it. But i want to do this and restrict connections to the internal network. It is easy enough to justblock the external ports but I would rather do this through the database.
but it is pretty dumb have mysqld reachable on the WAN because you expose every future CVE for no good reason
Restrict network access? Specify the correct peer ip address or a host name when creating a user
the IP - security based on PTR records and rely on name-resolution is a bad idea, anyways one needs still tell me one sane reason why do ip restrictions in the atatcked application instead the networklayer in front of
Because that is how I want it. The longer explanation is, because that is how I want to do it, period. I really didn't ask for a debate on the pros and cons of firewalls
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Am 16.01.2018 um 01:37 schrieb Ruben Safir:
On Tue, Jan 16, 2018 at 01:14:00AM +0100, Reindl Harald wrote:
Am 15.01.2018 um 23:31 schrieb Ruben Safir:
Now, I had two choices, to change the software to talk across the open local area network, and move the database to the webserver... or hot copy, which I know maria has been able to do for a while, but I never implimented it. But i want to do this and restrict connections to the internal network. It is easy enough to justblock the external ports but I would rather do this through the database.
but it is pretty dumb have mysqld reachable on the WAN because you expose every future CVE for no good reason
Restrict network access? Specify the correct peer ip address or a host name when creating a user
the IP - security based on PTR records and rely on name-resolution is a bad idea, anyways one needs still tell me one sane reason why do ip restrictions in the atatcked application instead the networklayer in front of
Because that is how I want it. The longer explanation is, because that is how I want to do it, period.
I really didn't ask for a debate on the pros and cons of firewalls "i want it" is no valid reason when it comes to security but if you want to learn it the hard way just go ahead...
sorry for giving recommendations from a world where security is taken serious - go and f.. yourself with that attitude and don't come back here whining when some CVE or config mistake hit you straight in the face
I'd like it to only listen on a specific interface altogether.
Restrict network access? Specify the correct peer ip address or a host name when creating a user.
Regards, Sergei Chief Architect MariaDB and security@mariadb.org
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
participants (3)
-
Reindl Harald -
Ruben Safir -
Sergei Golubchik