Secure MySql/MariaDB Replication

We have a partner that has a MySQL / Maria DB Master server.  We have a slave and want to replicate against their master.  Some want to use the builtin SSL replication and others want to tunnel via SSH.  Can anyone provide some recommendations or pros and cons of each.  Any security, maintenance issues to consider?  Also, I assume that since we would be replicating against their master, they would have to run with the ssh port listening, not our slave?  Thanks
credogAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
SSH itself is as strong as its password based for authentication or based on key pair authentication. Using SSHV2 is alright but if private key are leaked or expoaed through client there is possibly hijacking and unauthorised access. That is why it is recommended not having administration over Internet and if need to should be via vpn then SSH. https://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_10.htm

Same goes for SSL if using weak protocol like TLS 1.0 and below. You can test ssltest to check the robustness of the ssl setup.
https://www.ssllabs.com/ssltest/
0
 
btanExec ConsultantCommented:
It would be preferable to have TLS instead of SSH. it is also documented for use of SSL/TLS. The firewall may have already been open for SSL and you can point the use of certificate to a CA that you own.

Rather than to manage the SSH keypair separately as individual system - you have no oversight for all. Key management operational effort requires a party to ensure all key are safely stored too.

Better to reduce the attack surface with less remote connection to database. SSH normally more for remote administration session rather than replication purpose.

https://mariadb.com/kb/en/library/replication-with-secure-connections/
1
 
skullnobrainsCommented:
as long as they only expose the mysql server to the outside from your ip which should be configured in their firewall, it does not matter much how you secure. unless the data is very sensitive, it is not actually very useful to even bother setting up ssl.

if you do setup ssl, make sure you do proper authentication with client certificates

that said, SSH is MUCH safer than SSL overall. in my book, SSL is plain broken and any hacker and many script kiddies will be able to snif SSL connections.

but i concur, setting up ssh access will definitely expose the server quite a lot. unless ssh is already available, i see little reason to do so.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
credogAuthor Commented:
How does ssh expose the slave server?  Seems that the Master server would be exposed since the slave would be initiating the tunnel to the Master?
0
 
skullnobrainsConnect With a Mentor Commented:
How does ssh expose the slave server?

opening an unnecessary service exposes you to a world of potential issues. this is truer on db servers which are usually not available from the internet in any direct way because whatever uses the db ( web server for example ) is most likely on a different server running in an isolated network segment.

in that case, ( let's forget about sniffing for a while ), one can non exhaustively think at least of the following : brute force attack on system passwords, various types of DOS resulting in either the ssh server being saturated, the link being saturated, or possibly kernel structures shortage ( sockets quite easily with basic syn/synfin attacks ), stauration of the nat table of the firewall... and a bunch of other stuff all resulting in at best downtime and at worst stolen data and destruction of he server and those around.

Seems that the Master server would be exposed since the slave would be initiating the tunnel to the Master?

yes.

if you limit the access to the ip of the slave location, that won't be much of an issue.
but in that case, an ssh tunnel is probably overkill anyway.

also note that mysql replications don't like poor networks so you'd need both sides to have decent internet connections ( which might be an issue in the us even on professional grade carriers ), and both ssl and ssh will make the connection less resistant to packet loss or irregular RTTs
0
 
credogAuthor Commented:
System forces the selection of a Best Answer, however both were high quality.  Wish I could select best for both.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.