Secure Remote MySQL Server Against Hackers and Intrusion.
Now we have set up our Remote MySQL Server we are going to want to secure it. By their very nature, MySQL servers tend to store highly confidential information. Information like passwords, customers personal details or banking information. If you leak data in this age, you are basically done so this really is important. There are many ways to secure a Remote MySQL server and as far we’re concerned you can never do enough.
We’re going to be using a range of techniques to ensure our MySQL server is not accessible to anyone else. Your server should already have a firewall installed but this alone is not enough. If you are serious about security, simply Installing CSF is not enough. Your MySQL server should already be configured to only accept connections from whitelisted IPs. This is done as standard.
Use An Enterprise Grade Firewall
CSF or other software firewalls are great programs. They are easy to use and most of all free. Unfortunately, software firewalls have limitations in terms of the volume of traffic they can handle. All F2H NVMe Servers come with a network firewall. Network firewalls are enterprise bits of kit that filter traffic as it enters the network. This is great because you can catch and route traffic before it even reaches your server. Much more secure than a software solution.
A decent firewall is essential. To prove this we set our network firewall policy to reject. In a few seconds, we caught multiple IPs trying to gain access to our server.
817 6 tap817i0-IN 20/Oct/2021:11:26:25 +0000 policy REJECT: IN=fwbr817i0 OUT=fwbr817i0 PHYSIN=fwln817i0 PHYSOUT=tap817i0 MAC=02:00:00:c3:98:29:bc:5a:56:87:fc:e7:08:00 SRC=126.96.36.199 DST=188.8.131.52 LEN=68 TOS=0x00 PREC=0x00 TTL=56 ID=17283 PROTO=UDP SPT=27007 DPT=53 LEN=48 817 6 tap817i0-IN 20/Oct/2021:11:26:26 +0000 policy REJECT: IN=fwbr817i0 OUT=fwbr817i0 PHYSIN=fwln817i0 PHYSOUT=tap817i0 MAC=02:00:00:c3:98:29:5c:a6:2d:82:e2:17:08:00 SRC=184.108.40.206 DST=220.127.116.11 LEN=68 TOS=0x00 PREC=0x00 TTL=50 ID=9984 PROTO=UDP SPT=54869 DPT=53 LEN=48 817 6 tap817i0-IN 20/Oct/2021:11:26:28 +0000 policy REJECT: IN=fwbr817i0 OUT=fwbr817i0 PHYSIN=fwln817i0 PHYSOUT=tap817i0 MAC=02:00:00:c3:98:29:bc:5a:56:87:fc:e7:08:00 SRC=18.104.22.168 DST=22.214.171.124 LEN=68 TOS=0x00 PREC=0x00 TTL=53 ID=41343 PROTO=UDP SPT=27201 DPT=53 LEN=48 817 6 tap817i0-IN
So, we combat this by blocking all traffic at the point of it entering the network. Let’s secure our Remote MySQL Server, In your Discovery control panel click the “Firewall Options” icon
Then, click the pencil icon to update the firewall policy to REJECT or DROP all incoming traffic. We will open up the required ports in the network firewall next.
So now, any connection trying to reach your server is currently being dropped by the network firewall policy. We need to open the required ports to allow connections to the MySQL server. Back in your Discovery control panel click the Firewall icon.
Open Port In Network Firewall
In the firewall section, we now want to open up the port MySQL is using. This will allow connections to your Remote MySQL server again. Click the ADD + button on the top right.
Further, a popup window opens up and here we specify the details of the port we want to open. So, copy the settings below switching the port if you have changed it.
So, now your site can connect to your database server again. But all other connections to all other ports are being rejected as they enter the network before they reach your instance.
You can repeat the process to open other ports like the SSH port but don’t enable the root account. You can use the NoVNC or Xterm console to access your NVMe Instance at any time so SSH access is not really needed. If you don’t need it, don’t able it. With the network firewall rejecting all traffic your MySQL server is now totally secure. It’s impossible for someone to access your instance. If you wanted to allow access you could create a firewall rule that only allows connections from a specific IP.
You might also like
More from MySQL/MariaDB
Recently, we went through the process of load balancing HTTPS connections with HAProxy. In this article, we are going to …