LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-23-2005, 07:18 PM   #1
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Rep: Reputation: 16
Remotely connecting to MySQL using SSH


I have a web site (on a shared hosting account) that is collecting data via a php form. I would like to transmit this data securely into a mySQL database on a local server. Can anyone give me a bit of a walkthrough? I've googled like mad, but all the info I can find seems very fragmented. SSH is working fine - I can do an SSH connection from the shared server to the local (at the command line) with no problem. Oh, and I'd like to still have the ability to write directly into mySQL databases on the shared web hosting account as well as to the local machine. Is that possible?

Thank you for your time...:-)
 
Old 03-23-2005, 07:25 PM   #2
{BBI}Nexus{BBI}
Senior Member
 
Registered: Jan 2005
Location: Nottingham, UK
Distribution: Mageia 4
Posts: 4,297

Rep: Reputation: 205Reputation: 205Reputation: 205
Yes, syntax: ssh -l <login name> <hostname/ipaddress> as long as you have login permission to the server using ssh you'll get in with the freedom to do as you wish (as long as you have the right to).

You may already know this but just in case, you need to have ssh running on the server.

Last edited by {BBI}Nexus{BBI}; 03-23-2005 at 07:26 PM.
 
Old 03-23-2005, 07:29 PM   #3
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Right, but that's a manual login, isn't it? I need the php script collecting the data to connect to the local mySQL database automatically, as it's processing the data.
 
Old 03-23-2005, 08:20 PM   #4
{BBI}Nexus{BBI}
Senior Member
 
Registered: Jan 2005
Location: Nottingham, UK
Distribution: Mageia 4
Posts: 4,297

Rep: Reputation: 205Reputation: 205Reputation: 205
I know nothing about scripting i'm afraid.
 
Old 03-23-2005, 08:26 PM   #5
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
No prob...thanks anyway. :-)
 
Old 03-24-2005, 04:44 AM   #6
antony.booth
LQ Newbie
 
Registered: Oct 2004
Location: UK
Distribution: Fedora
Posts: 23

Rep: Reputation: 15
Encrypt it, then send it. How about an RSA key pair, one at the host and one at your Mysql Server location? That way, you could use the hosting site for send only and another location for reading the data. Using the key pair solution would mean that even the admin on the hosting site, who can read your scripts and even the public key, cannot access the data, because they won't have the private key to decrypt it, even though they could possibly use the account information in your .php scripts to access your database contents.

Note: Set the permissions on the hosting sites mysql account to INSERT only on the specific table your data is posted to. Deny everything else and the admins or hackers won't even be able to read what your scripts sent.

Last edited by antony.booth; 03-24-2005 at 04:54 AM.
 
Old 03-24-2005, 08:57 AM   #7
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Just use MySQL + SSL. PHP5 and MySQL >= 4.0 (maybe 4.1) can send data over SSL connections.
 
Old 03-24-2005, 09:16 AM   #8
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
"Encrypt it, then send it. How about an RSA key pair, one at the host and one at your Mysql Server location? That way, you could use the hosting site for send only and another location for reading the data. Using the key pair solution would mean that even the admin on the hosting site, who can read your scripts and even the public key, cannot access the data, because they won't have the private key to decrypt it, even though they could possibly use the account information in your .php scripts to access your database contents."

So all the encryption, keys, etc...can be done with no shell access (one of the non-local accounts has shell, but the rest don't)? If so, is it possible to get a bit of a walkthrough? Also, even if it's encrypted, wouldn't I still have to open up the mySQL database for each IP that data is coming from? That's a problem, because some of the locations we're getting data from don't have dedicated IPs. :-(

Thanks!

"Just use MySQL + SSL. PHP5 and MySQL >= 4.0 (maybe 4.1) can send data over SSL connections."

Right, but do you have a good walkthrough for this? I haven't been able to find any useful step-by-step instructions. Thanks.
 
Old 03-24-2005, 10:14 AM   #9
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
I compile MySQL from scratch, so I add the --with-ssl option to the config line. I'd imagine the precompiled versions have SSL built in. You'll also need to compile PHP w/ SSL support.

Once that's done, you can use the PearDB class to handle the connections. I believe that the mysql_connect() function supports SSL in PHP5 (PHP4 support for it is really shakey). There aren't many HOWTOs out there b/c its a relatively new technology (merging the three existing technologies), but the documentation in PearDB, MySQL and PHP is pretty solid.
 
Old 03-24-2005, 10:23 AM   #10
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Since it's a shared host, I don't have the ability to compile anything. Is there a good test to see if it's already been done? Thanks again. :-)
 
Old 03-24-2005, 10:24 AM   #11
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
Oh, and I just checked and the shared host we're using is running PHP version 4.3.10 and MySQL version 4.0.23-standard. That probably won't work then, eh?
 
Old 03-24-2005, 04:51 PM   #12
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Yup... you'll have to encryot the data and send it over plain text as mentioned eaerlier. Suggest you start reading up on scripting.
 
Old 03-24-2005, 05:10 PM   #13
Teleute
Member
 
Registered: Mar 2005
Posts: 62

Original Poster
Rep: Reputation: 16
So there's no way to create an SSH tunnel in this situation? At all?
 
Old 03-24-2005, 08:10 PM   #14
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Geesh, I must have misread something earlier....

Google for "ssh tunneling". The first 1000 hits or so should get you started. Most stuff out there is specific to creating tunnels for mail, but if you can't change port numbers, perhaps you should consider something simpler.
 
Old 03-25-2005, 08:11 AM   #15
antony.booth
LQ Newbie
 
Registered: Oct 2004
Location: UK
Distribution: Fedora
Posts: 23

Rep: Reputation: 15
Quote:
Originally posted by Teleute
So all the encryption, keys, etc...can be done with no shell access (one of the non-local accounts has shell, but the rest don't)? If so, is it possible to get a bit of a walkthrough? Also, even if it's encrypted, wouldn't I still have to open up the mySQL database for each IP that data is coming from? That's a problem, because some of the locations we're getting data from don't have dedicated IPs. :-(

Thanks!
You can generate you RSA public and private keys from somewhere else. You can create an Open SSH pair with the command:-

ssh-keygen rsa

You can then copy the public key to the host server and use it with your .php scripts. As for integrating that into a .php script, I suggest you read up on php encryption.

One thing you should note; this method is better than communication via an ssh tunnel, because the data still gets stored unencrypted in your database using a tunnel and account details to access that data are stored publicly on your hosts server. Restricting what that account can do will help, and only allowing it to update a temporary table, from which the data will be copied will also help protect the integrity of your database but still, encrypted, that information is even protected yet further. It is an ideal way of storing your data on another public host aswell.

I actually wrote a script to test the integrity of a host server I was about to use for storing data from an online store. My script attempted to read scripts from other accounts hosted on the same server. This was not to get their information, but to test whether they could do the same and get mine.
To my horror, I could load their scripts and parse them for account information. I forwarded this script to the administrators, before I cancelled my account. I could have used my account to defraud millions by tampering with other accounts databases as I had everything I needed to get most of their MySQL database data. Had that data been encrypted with an RSA key pair, the information I could have extracted would have been useless and the worst I could do is damage the data.

So the moral to this story is protect your data from the .php script and the account it uses.

Last edited by antony.booth; 03-25-2005 at 08:19 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with SSH and connecting remotely username17 Linux - Networking 13 08-06-2004 06:57 PM
Connecting remotely to GUI deWin Linux - Networking 0 03-03-2004 01:15 PM
Connecting remotely from internet pyre Linux - Newbie 2 01-29-2004 11:10 AM
Connecting to Computer Remotely macaddict Linux - Networking 1 10-08-2003 07:51 PM
connecting remotely to unix djappelsap Linux - Networking 6 10-27-2001 12:20 PM


All times are GMT -5. The time now is 01:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration