I have created a home Apache server with MySQL and PHP. I have just created a website that I want to be publicly accessible, majorly for my experimenting. However I just realized that my MySQL server that is running on port 3306, usually my PHP connects to the database on localhost with a username and no password. Can't any other remote PHP script connect to my database and siphon off all the stored data? Does it not put my website in jeopardy? How do I stop remote connections to my database server? I only want the applications on my server(or those that I approve of), to access my database. Forgive me if the wording is bad, I couldn't find any helpful articles on Google.
You can restrict your MySQL server to listen only for localhost connections with bind-address = 127.0.0.1 configuration option as it was suggested in the comments.
If you want to make changes only for this particular user you can check the grants with the following query:
SHOW GRANTS FOR CURRENT_USER;
If it is not restricted only to localhost you can restrict it:
GRANT ALL PRIVILEGES ON *.* TO <username> #'localhost' IDENTIFIED BY '<password>';
GRANT ALL PRIVILEGES ON *.* TO <username> #'127.0.0.1' IDENTIFIED BY '<password>';
In general, I would recommend adding a password because you can make some other configuration changes in future or run other apps using the same MySQL server. It is better to be safe than sorry.
Related
I've stored a web project (PHP, HTML and CSS). I'm working inside opt/lampp/htdocs XAMPP directory, so I can run the .php files using the web browser. One of those .php files tries to connect to an external server MySQL database, but, when run:
mysqli_connect($servername, $username, $userpassword);
it displays the following warning.
*mysqli_connect(): (HY000/2002): Connection refused*
I've tried to access the database with phpmyadmin and the corresponding credentials and it works fine.
So the question is: can I perform a msqli_connect to that external database using XAMPP or I should give up?
Thanks in advance!
Since I cannot comment because of my low points, I am answering here.
I had faced similar issues before, so sharing my experience. All of the comments have suggested valuable points. These are as follows:
Use IP address instead of server name (There may be some DNS cache issue, so it is safe to use IP address).
Make sure the IP address you are using is not being blocked by the server's firewall. If possible configure server's firewall to white-list your IP Address.
The default MySQL port is 3306. Make sure the firewall is configured for allowing outside connection to the port 3306.
Most importantly, make sure the MySQL server must be configured to accept connections externally. If all of the above settings are configured properly then you should grant external access and all privilege to your MySQL User.
GRANT ALL PRIVILEGES ON 'yourDatabase'.* TO 'yourUserName'#'%';
FLUSH PRIVILEGES;
Reference - Another SO Question.
I have installed lamp on linux server 14.0.4, I did not have phpmyadmin there, then I installed phpmyadmin on that server and when I ping on browser like 192.xxx.xx.200/phpmyadmin it opens and brings me the databases.
But when I tried to connect from another system like
mysqli_connect('192.xxx.xx.xx','root','xxxx','xxxx')
It gives me the error
mysqli_connect() [function.mysqli-connect]: [2002] No connection could be made because the target machine actively (trying to connect via tcp://192.xxx.xx.200:3306)
I have searched with Google, but i could not find the solution, but when i tried with the same system like localhost or ip/phpmyadmin it works fine.
MySQL maintains access credentials (usernames / passwords) by machine address as well as username. A new LAMP installation typically doesn't allow anything except local access.
If you issue a command series like this from your local machine you'll get remote access for username from all machines with addresses 192.168.*.*.
CREATE USER 'username'#'192.168.%' IDENTIFIED BY 'password';
GRANT ALL ON * TO 'username'#'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
PhpMyAdmin has a UI for this.
You can also CREATE USER 'username'#'%' to allow anyone from any machine anywhere to access your server. If you think that's a good idea, go for it. But be careful.
I am creating a remote connection using this PHP script from my website to another website of mine. But it is showing errors which says hostname is not allowed to connect to this MySQL serve
Please let me know what I am missing and also tell me if there any other way to access remote MySQL data using a PHP script.
$connect=mysql_connect("hostname","user","password")or die(mysql_error().'Our database is currently down for updates, please check back later.');
You need to explicitly allow the mysql user to connect from the host. For example CREATE USER 'jeffrey'#'localhost' IDENTIFIED BY 'mypass'; will allow the user jeffrey to connect only from localhost.
You can do that via sql commands or phpmyadmin, check the users tab.
You need to grant the mysql user access to your database from the host where the script is running. So if your mysql server is on host server, and the script runs on machine dev, your grant statement would look something like this:
GRANT ALL PRIVILEGES ON database.* TO 'user'#'dev' IDENTIFIED BY 'password';
Does your MySQL database allow remote access to connect? If not, change the configs.
UPD
Tutorial for changing mysql remote access configs
I have a website and a database on a host. But I want the administrator panel on my laptop? Is it possible connect remotely? How can I do this? Thank you very much!
If I've understood correctly your question, you're looking for a GUI front-end for a remote MySQL database. There's many MySQL front-ends out there, but two I would recommend are the official MySQL Workbench if you're running Windows or Linux, and Sequel Pro if you're running Mac (MySQL Workbench can also run on Mac, but I personally prefer Sequel Pro). Both are free.
The first thing you should try is simply connecting to the remote MySQL server by the command line.
$ mysql -u your_user -h remote.host.name -p
Depending on the output will determine what you need to do next.
Error 1
ERROR 2003 (HY000): Can't connect to MySQL server on 'remote.host.name' (113)
This means that the port is not even open for an external machine to connect to it, so you will need to add whatever port MySQL is running on to your firewall to accept incoming connections.
Error 2
ERROR 1045 (28000): Access denied for user 'your_user'#'your.host.name' (using password: YES)
Assuming that your login credentials are correct, this means that you need to grant permissions from within MySQL. Connecting locally from the remote server, grant permissions like this:
GRANT ALL ON your_database.* TO your_user#'your.host.name' IDENTIFIED BY 'your_password';
Obviously substitute all of the relevant things to what they should be.
When you can connect by command line, connecting by PHP is as simple as using the hostname, username and password information that you used in the mysql command above.
You can use a piece of software called Chive to do this, however it's possible that your server doesn't accept connections remotely.
You can either install Chive locally on your machine and connect to the remote computer, or install Chive remotely and connect to it via HTTP (though I strongly recommend HTTPS).
http://www.chive-project.com/
Wow, just like you connect to the site, you should only change the authentication data if necessary, and external IP mysql.
I have this setup in Phpmyadmin:
USER HOST PASSW PRIVILEGES GRANT
debian-sys-maint localhost Yes ALL PRIVILEGES YES
phpmyadmin localhost Yes USAGE NO
root 127.0.0.1 Yes ALL PRIVILEGES YES
root localhost Yes ALL PRIVILEGES YES
root my_hostname Yes ALL PRIVILEGES YES
username localhost Yes ALL PRIVILEGES YES
Where "username" is my username and "my_hostname" is my hostname.
I am currently only logging in as the last one (username, localhost).
Also, I have php which also uses the last ones login details.
Should I disable the other ones?
And, what other security measures should I take?
BTW: My server is Linux and I have root access.
Thanks
Short answer: yes
This goes for SQL, but also for SSH and any other service attacked regularly from port scanning bots.
You should create your own user with sufficient rights (and users for other sysadmins) with strong password and disable root from logging to phpmyadmin and remotely to SQL.
You do not have to delete the root account. That is not preferable. This does not apply to a server where SSH access to shell (or port forwarding) is given to unsecure users. in such case it is better to increase the strength of the password to a point in which such attacks are useless even from localhost.
If you're not using one, delete it (Don't delete the three root logins, they will allow you to get super user access to fix something if something goes wrong)...
However, I'd suggest "limited permission" users. Grant each user access only to the data it needs to modify. That way you limit the damage an attacker can do. Using one login for everything is just as bad as using root in production...
As a general rule it is always advisable to use accounts with as little privileges as possible. There are two mainreasons:
You prevent mistakes from making too bad mistakes. All mistakes can't be prevented, though
Attackers can't cause as much trouble. Assume some attacker hijacks your account.