credog
asked on
Secure MySql/MariaDB Replication
We have a partner that has a MySQL / Maria DB Master server. We have a slave and want to replicate against their master. Some want to use the builtin SSL replication and others want to tunnel via SSH. Can anyone provide some recommendations or pros and cons of each. Any security, maintenance issues to consider? Also, I assume that since we would be replicating against their master, they would have to run with the ssh port listening, not our slave? Thanks
as long as they only expose the mysql server to the outside from your ip which should be configured in their firewall, it does not matter much how you secure. unless the data is very sensitive, it is not actually very useful to even bother setting up ssl.
if you do setup ssl, make sure you do proper authentication with client certificates
that said, SSH is MUCH safer than SSL overall. in my book, SSL is plain broken and any hacker and many script kiddies will be able to snif SSL connections.
but i concur, setting up ssh access will definitely expose the server quite a lot. unless ssh is already available, i see little reason to do so.
if you do setup ssl, make sure you do proper authentication with client certificates
that said, SSH is MUCH safer than SSL overall. in my book, SSL is plain broken and any hacker and many script kiddies will be able to snif SSL connections.
but i concur, setting up ssh access will definitely expose the server quite a lot. unless ssh is already available, i see little reason to do so.
ASKER
How does ssh expose the slave server? Seems that the Master server would be exposed since the slave would be initiating the tunnel to the Master?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
System forces the selection of a Best Answer, however both were high quality. Wish I could select best for both.
Rather than to manage the SSH keypair separately as individual system - you have no oversight for all. Key management operational effort requires a party to ensure all key are safely stored too.
Better to reduce the attack surface with less remote connection to database. SSH normally more for remote administration session rather than replication purpose.
https://mariadb.com/kb/en/library/replication-with-secure-connections/