Small Security Suggestion Regarding MySQL

[noner]

We are living in Dynamically assigned IPs (Until IPv6 is fully out). Due to setting My Account, I have noticed few interesting things regarding CPanel setting. Mostly about MySQL "Remote Database Access Hosts". Which is great feature but could be even better with one small thing I find very useful to add additional security to Database management.

Most of us have some sort of DynamicDNS service Available (My router for example supports it) and there is variety of Free Dynamic DNS Service Hosts.

• X10Hosting currently do Remote Database Access Hosts filtering this way Get User IP -> do http://whatismyipaddress.com/staticpages/index.php/tools-ip-address-to-hostname-lookup -> Compare with Access Hosts List -> Allow/Deny Access
• Thing that should be considered also before Allow/Deny is:
  1. Get your IP -> do http://whatismyipaddress.com/staticpages/index.php/tools-ip-address-to-hostname-lookup -> Compare with Access Hosts List -> if False do 2. else do 3.
  2. This is only for hosts that are without wildcards: Do While ((not end of Access Host list) or (Not( Access Host to IP [http://whatismyipaddress.com/staticpages/index.php/tools-hostname-to-ip-address-lookup] -> Get User IP)) -> Allow/Deny Access -> Skip 3.
  3. Allow Access
• User IP address is Pinpointed more accurately and x10Hosting gain in much on security

Sorry, If I was too technical in description but English is not my native Language and I wanted to provide exact example how things should work.
Admins feel free to contact me and I'll give you exact details for this.

 

[Slothie]

This would also require automated firewall modifications, probably more trouble than its worth.

If you really really required a portable database, you may want to consider freesql.org.

 

[noner]

That is why this is only suggestion. I have no problems with X10 I just stated something I've found nothing more. Still learning How things work here.

There is always Workaround:
1. Add IP To hostname result in CP Allowed Access Hosts
2. Do Needed Job
3. Clear Hostname from CP

Q: Do not see need for Firewall changes only in CP as this is just temporal Query and no exclusions are needed for firewall actually it is just reverse from current one, but what I know from only two days of existence here.

Re Portable: No Need For portable Database, but more concern in privacy of table contents even someone get hold on database Username and password. For Now I like it here.

 

[Livewire]

The reason for the firewall changes is actually very simple:

With how X10 is designed, simply adding yourself to the remote database thing in the CP will NOT clear you on the firewall - you WILL still be blocked, whether the CP says you can do it or not.

Thats why you'd need automated firewall changes for this - those are currently implemented by mods/admins.


The firewall doesn't even check the CP to see if it's allowed; the CP would never get the request to try and access the database because it'dve already been blocked by the firewall.



Long story short, the firewall blocks it before it ever gets to the CP, and the only way to get through the firewall is by corey doing an exception in it. Hence why you'd need an automated firewall, which is more of a hassle than its worth.

 

[noner]

@Livewire
This is exactly how I find X10 works and it should be that way.
Firewall as first line of defense and when you cleared with firewall which give you access to CP then CP as Second Line determine Access Rights by comparison User IP -> HostName and HostNames -> User IP Like I described.

Behavior I describe could be Classified as Bug/Limitation of Control Panel only not firewall or any other aspects of X10.
Facts (Example not actual, but you can easily test on your own):
1. myx10test.gotdns.org -> 213.194.75.12 http://whatismyipaddress.com/staticpages/index.php/tools-hostname-to-ip-address-lookup
2. 213.194.75.12 -> dsl-dp-81-140-124-0.in-addr.broadbandscope.com http://whatismyipaddress.com/staticpages/index.php/tools-ip-address-to-hostname-lookup
Using 1 and 2 are true then Fact 3 is true by absolute acceptance:
3. myx10test.gotdns.org = dsl-dp-81-140-124-0.in-addr.broadbandscope.com

CP Settings of Remote MySQL for using with Navicat to manage Databases:
Access Hosts:
myx10test.gotdns.org

Ok now I try to access Database With Navicat Here is What Happened:
Q: 213.194.75.12 -> X10Hosting Firewall (Allowed) -> CP Need Access to DB -> Failed Access denied ???
A: 213.194.75.12 Resolves to dsl-dp-81-140-124-0.in-addr.broadbandscope.com Which is not in Access Host List
Result: No Access To MySQL even Fact 1 is TRUE and myx10test.gotdns.org is in allowed Access Host List.

Workaraound Solution is adding %.in-addr.broadbandscope.com in Access Hosts List which makes Possible Access leak due to Wildcard. This can be also solved by Entering IP -> Hostname in Access Host list Each Time I Want to access MySQL Database. Easy If you are Also Owner and Admin and DB manager and ... but if you have friend that manages your MySQL you will need to go thrum steps of contacting him get his private IP enter it in Access Host wait till he finishes Clean him out of list,... That is Big problem and waste of precious time for doing the job.

Some IP especially static can have more than one Hostnames and that is Common practice but IP -> Hostname doesn't need to return any of them actually most likely it will return Different one like in this example I gave.

Conclusion: As IT specialist with more than 20 years of exp. this is just minor thing I find. Which will mostly be only one more negative thing in my evulation of some hosting, but I find X10 One of most Complete Free Hosting sites I've found and X10 is well worth of giving my free time/knowledge to analyze and debug this small problem and help you to be even beter. Good work Guys/Gals

 

[Slothie]

Note: Its just not just mysql's IP list that needs to be considered, its the firewall. If we were to allow wildcard hosts, there wouldn't be much point in a firewall, would there?


Would you care to write the iptables rules for that, as well as a trigger on when to launch the iptables rules update (Do remember to remove old entries as well).

Technically its not impossible, just a lot of work.

 

[noner]

Would you care to write the iptables rules for that, as well as a trigger on when to launch the iptables rules update (Do remember to remove old entries as well).

Technically its not impossible, just a lot of work.

I know that, we can talk about that. At least I could help in making it. Why not it is good challenge.

 

[Slothie]

Give it your best shot, if I think it's secure and it works, I'll do my best to campaign it with the other staff

 

[noner]

OK I'll need some info regarding how things work from either you or someone of admins so that I could do Logistic Analysis, relations, probability cases and make appropriate algorithm for all aspects with as little changes possible with ensuring Best solution and/or possible scenario simulation.

This is field that I do for living beside programming in Delphi.

 

[Slothie]

Its just cpanel and iptables. The information is readily available off the internet, the implementation isn't.

While delphi isn't available for linux, kylix is which I use very often. You'd still need to find out how to integrate it with cpanel though.