Secure MySql/MariaDB Replication

We have a partner that has a MySQL / Maria DB Master server.  We have a slave and want to replicate against their master.  Some want to use the builtin SSL replication and others want to tunnel via SSH.  Can anyone provide some recommendations or pros and cons of each.  Any security, maintenance issues to consider?  Also, I assume that since we would be replicating against their master, they would have to run with the ssh port listening, not our slave?  Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
It would be preferable to have TLS instead of SSH. it is also documented for use of SSL/TLS. The firewall may have already been open for SSL and you can point the use of certificate to a CA that you own.

Rather than to manage the SSH keypair separately as individual system - you have no oversight for all. Key management operational effort requires a party to ensure all key are safely stored too.

Better to reduce the attack surface with less remote connection to database. SSH normally more for remote administration session rather than replication purpose.
as long as they only expose the mysql server to the outside from your ip which should be configured in their firewall, it does not matter much how you secure. unless the data is very sensitive, it is not actually very useful to even bother setting up ssl.

if you do setup ssl, make sure you do proper authentication with client certificates

that said, SSH is MUCH safer than SSL overall. in my book, SSL is plain broken and any hacker and many script kiddies will be able to snif SSL connections.

but i concur, setting up ssh access will definitely expose the server quite a lot. unless ssh is already available, i see little reason to do so.
credogAuthor Commented:
How does ssh expose the slave server?  Seems that the Master server would be exposed since the slave would be initiating the tunnel to the Master?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

btanExec ConsultantCommented:
SSH itself is as strong as its password based for authentication or based on key pair authentication. Using SSHV2 is alright but if private key are leaked or expoaed through client there is possibly hijacking and unauthorised access. That is why it is recommended not having administration over Internet and if need to should be via vpn then SSH.

Same goes for SSL if using weak protocol like TLS 1.0 and below. You can test ssltest to check the robustness of the ssl setup.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How does ssh expose the slave server?

opening an unnecessary service exposes you to a world of potential issues. this is truer on db servers which are usually not available from the internet in any direct way because whatever uses the db ( web server for example ) is most likely on a different server running in an isolated network segment.

in that case, ( let's forget about sniffing for a while ), one can non exhaustively think at least of the following : brute force attack on system passwords, various types of DOS resulting in either the ssh server being saturated, the link being saturated, or possibly kernel structures shortage ( sockets quite easily with basic syn/synfin attacks ), stauration of the nat table of the firewall... and a bunch of other stuff all resulting in at best downtime and at worst stolen data and destruction of he server and those around.

Seems that the Master server would be exposed since the slave would be initiating the tunnel to the Master?


if you limit the access to the ip of the slave location, that won't be much of an issue.
but in that case, an ssh tunnel is probably overkill anyway.

also note that mysql replications don't like poor networks so you'd need both sides to have decent internet connections ( which might be an issue in the us even on professional grade carriers ), and both ssl and ssh will make the connection less resistant to packet loss or irregular RTTs
credogAuthor Commented:
System forces the selection of a Best Answer, however both were high quality.  Wish I could select best for both.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.