Is a VPN not an option? Assuming this is on a budget and no additional hardware can be used you could use OpenVPN or even good ol' IPSEC from box to box.
What about SSH + keys + tunneling? It might also help to know a bit more about the use case. Are we talking about you interacting with the database via a GUI client, shell client? Or are we talking about an application on some other server that needs to connect to the database over the Internet? Maybe both? It might be wise if you can to use additional hardware or at least not just rely on SSL/TLS libs tied to your database. Even if someone couldn't get authenticated because they have a bad certificate they could DDOS your DB server pretty easily by throwing lots of SSL/TLS negotiations attempts at it. Or depending on how the SSL/TLS connection handler on your database works it might be that you are using up a database connection with every connection attempt even if it fails. Of course some iptables rate rules would help this. -Alan On Sun, Apr 7, 2013 at 10:38 PM, S. Dale Morrey <[email protected]>wrote: > I have a server that will be on the public internet. > I'm afraid there is the possibility of it being compromised so I have > locked it down the best I can. However it must also connect to a DB. The > DB is behind a firewall and only accepts connections from the IP of the > small handful of servers that need to connect to it. > > I'm still feeling a little paranoid and I'm wondering if there is any way > to do a certificate based login (MySQL or PostGres are options here). > Similar to how I use private certs instead of username password combos. > This way if my public box is compromised I can just revoke the cert. > > Any experiences with this sort of thing? > > Thanks in advance! > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
