1

I would like to start this discussion about mysqldump security. With security I'm not speaking about Cron tasks that display password security or password security in any way, instead I'm talink about the security of the command itself.

In my particular case I have setup the command to execute on my home server the cron job with mysqldump and backup my website database on my VPS that I have with 1&1.

So basically the scenario is that my Home PC is backing up remotely the MySQL database on port 3306. This work correctly but I start making nightmares while sleeping and thinking that maybe could someone listen on port 3306 and get all my data while I'm backing up (with mysqldump) I mean for what I have understanded mysql is not under SSL with port 3306 so anybody could potentially get the backup copy from the database?

I mean it would be possible this scenario:

  1. My Home PC start mysqldump task
  2. My VPS on 1&1 prepare remotely the sql dump
  3. My Home PC receive locally the dump from the remote server

between point 2 and point 3 is possible that someone get a copy of my file?

Thanks in advance for the answers Marcos

4

2 回答 2

2

You should not expose port 3306 on your VPS host to the public internet. MySQL's unencrypted port is not secure.

If you're running mysqldump on your VPS host, and only transferring the resulting dump file to your PC, then you can do this securely.

If you can ssh to your VPS, you should be able to use scp too. This gives you the ability to transfer files securely.

Here's a FAQ article about using scp with 1&1. I found this by googling for "1&1 scp":

http://faq.1and1.co.uk/server/root_server/linux_recovery/9.html

If you need to run mysqldump on your Home PC and connect remotely to MySQL on the VPS host, you have options:

  • Run mysqldump on the PC with SSL connection options.
  • Open an port-forwarding ssh tunnel, then run mysqldump on the PC connecting to the forwarded port.
  • Run ssh to invoke mysqldump on the VPS, then capture output. See example in the accepted answer to this question: https://serverfault.com/questions/36467/temporary-ssh-tunnel-for-backup-purposes
  • Create a VPN and do anything you want because it's all encrypted.

Re your comments of 10/11:

I need to execute the command from home PC to backup the VPS remotely.

I want to ... receive instead the backup file directly so in the VPS should be saved nothing.

Okay, here's what you can do, without exposing port 3306:

$ ssh marcos@192.168.1.3 'mysqldump ...options.. | gzip -c' > ~/dump.sql.gz

Notice the position of quotes in that command. You're executing on the VPS the command: mysqldump ...options.. | gzip -c. The stdout of that command is a gzipped stream of the dump. That stream is returned via ssh, and then > saves the output locally in the shell on your PC.

Re your comment of 10/13:

now I'm storing on the server an open text file that contain the credentials to access the MySQL server. I mean if someone will break into the server it will be able not just to damage the server content but also to damage and stolen MySQL database and informations. Am I right?

If you use MySQL 5.6 you can use the new feature to store connection credentials in a semi-encrypted manner. See http://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html

If you use MySQL 5.5 or earlier, then you're right, you should be careful to restrict the file permissions of my.cnf. Mode 600 should be enough (i.e. it's not an executable file).

But if someone breaks into your server, they may have broken in with root access, in which case nothing can restrict what files they read.

MySQL doesn't have enough security to block access if someone gains root access, so it's up to you to use other means to prevent breakins. Firewalls, etc.

于 2013-10-02T17:34:24.273 回答
0

是的,这是可能的,但你没有提到你将如何获取这些数据。如果您使用 ssh/scp(使用专用用户进行转储、IP 过滤、基于私钥和密钥密码的身份验证)是可以接受的,并且在我看来是安全的。另一种更安全的快速方法是设置 VPN。任何其他都是个人使用的偏执水平。

于 2013-10-02T17:36:09.010 回答