Which IPs should I whitelist for a MySQL remote connection?

StackOverflow https://stackoverflow.com/questions/22721061

Pergunta

I am trying to remotely connect to SQL from another website. I did a whois lookup to get the IP address of the domain that's trying to connect and whitelisted it in cPanel. I also did a echo $_SERVER['SERVER_ADDR']; and got a different IP address for some reason, so I whitelisted that as well. I also tried whitelisting by the domain name but MySQL is still refusing the connection.

If I allow access from all (%) it will work, but obviously I'm not gonna do that.. How can I find out for sure, which IP address needs to be whitelisted in order for SQL to allow the connection?

Foi útil?

Solução 2

You need to white-list the main IP of the server (on where the domain is hosted). The outgoing connection from the server goes via primary IP address of the server. If it's a Linux machine you can use the command hostname -i to find out the primary IP address. Also you can check which IP is establishing connection to the MySQL using the command tcpdump -n dst 1.1.1.1 and port 3306 Change the port number & IP address according to the MySQL server.

Outras dicas

Analysis for problem it more easy but it needs some work.

Access to console mysql for verify if Cpanel interface put correct credentials on mysql. After all WHM / Cpanel is simply a control panel that makes administration work for us, and therefore is susceptible to bugs

mysql > SELECT user, host FROM mysql.user WHERE user LIKE %user%;
+--------------------+----------------+
| user               | host           |
+--------------------+----------------+
| special_user       | %              |
| horde              | 127.0.0.1      |
| zabbix             | 127.0.0.1      |
| mysqlbackup        | 163.XXX.XXX.31 |
| root               | 176.XX.XXX.39  |
...

If user it's on mysql privilege tables, verify if my.cnf it's configured for access remotly

if exists must be 0.0.0.0

cat /etc/my.cnf |grep bind-address
bind-address=0.0.0.0

Also skip-networking can't be on /etc/my.cnf

Check firewall for accesss to 3306 port

iptables -L -n |grep 3306
...
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306

It is also good to help, to indicate the error that showed the application as this determines the layer where the fault occurred.

Example

ERROR 1130 (HY000): Host ‘1.2.3.4’ is not allowed to connect to this MySQL server

And logs of mysql

cat /var/lib/mysql/[hostname].err 2016-04-06 0:26:19 140080907868928 [Warning] IP address '23.251.55.75' could not be resolved: Name or service not known

All paths examples are for WHM/Cpanel server.

[text] substitution for real name

In my case, I figured out that there was an incorrect password entry in the mysql.user table.

What I had done was added an incorrect password for a correct host. I was able to identify the incorrect password by looking at the password field - the only password that was different belonged to this host I wanted to connect from.

SELECT * FROM mysql.user WHERE user LIKE '%username%' \G;

I deleted the entry and assigned the privileges again and the issue was fixed.

It was dev environment where I did the changes at MySQL level.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top