Sorry I guess I should have been clearer. Typical Apache & PHP setup with the DB server sitting on a separate box. I'm more concerned with authentication than encryption. MySQL has a ridiculously low max password length. I would like to maybe tunnel it and use a certificate exchange mechanism similar to how I use certs for SSH. Just wonder what I need to look at. You've given me some ideas though.
On Mon, Apr 8, 2013 at 12:34 AM, Alan Evans <[email protected]> wrote: > Is a VPN not an option? Assuming this is on a budget and no additional > hardware can be used you could use OpenVPN or even good ol' IPSEC from box > to box. > > What about SSH + keys + tunneling? > > It might also help to know a bit more about the use case. > > Are we talking about you interacting with the database via a GUI client, > shell client? Or are we talking about an application on some other server > that needs to connect to the database over the Internet? Maybe both? > > It might be wise if you can to use additional hardware or at least not just > rely on SSL/TLS libs tied to your database. Even if someone couldn't get > authenticated because they have a bad certificate they could DDOS your DB > server pretty easily by throwing lots of SSL/TLS negotiations attempts at > it. Or depending on how the SSL/TLS connection handler on your database > works it might be that you are using up a database connection with every > connection attempt even if it fails. Of course some iptables rate rules > would help this. > > -Alan > > > On Sun, Apr 7, 2013 at 10:38 PM, S. Dale Morrey <[email protected] > >wrote: > > > I have a server that will be on the public internet. > > I'm afraid there is the possibility of it being compromised so I have > > locked it down the best I can. However it must also connect to a DB. > The > > DB is behind a firewall and only accepts connections from the IP of the > > small handful of servers that need to connect to it. > > > > I'm still feeling a little paranoid and I'm wondering if there is any way > > to do a certificate based login (MySQL or PostGres are options here). > > Similar to how I use private certs instead of username password combos. > > This way if my public box is compromised I can just revoke the cert. > > > > Any experiences with this sort of thing? > > > > Thanks in advance! > > > > /* > > PLUG: http://plug.org, #utah on irc.freenode.net > > Unsubscribe: http://plug.org/mailman/options/plug > > Don't fear the penguin. > > */ > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
