Pages

Bài đăng phổ biến

Monday, March 19, 2012

How Do I Enable Remote Access To MySQL Database Server?


How Do I Enable Remote Access To MySQL Database Server?

By default remote access to MySQL database server is disabled for security reasons. However, some time you need to provide remote access to database server from home or a web server. If you want to remotely access to the database server from the web server or home, follow this quick tutorial.

MySQL Remote Access

You need type the following commands which will allow remote connections.

Step # 1: Login Using SSH (if server is outside your data center)

First, login over ssh to remote MySQL database server:
ssh [email protected]

Step # 2: Edit my.cnf File

Once connected you need to edit the MySQL server configuration file my.cnf using a text editor such as vi.
  • If you are using Debian Linux file is located at /etc/mysql/my.cnf location
  • If you are using Red Hat Linux/Fedora/Centos Linux file is located at /etc/my.cnf location
  • If you are using FreeBSD you need to create a file /var/db/mysql/my.cnf
Edit /etc/my.cnf, run:
# vi /etc/my.cnf

Step # 3: Once file opened, locate line that read as follows

[mysqld] 
Make sure line skip-networking is commented (or remove line) and add following line
bind-address=YOUR-SERVER-IP
For example, if your MySQL server IP is 65.55.55.2 then entire block should be look like as follows:
[mysqld]
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
language        = /usr/share/mysql/English
bind-address    = 65.55.55.2
# skip-networking
....
..
....
Where,
  • bind-address : IP address to bind to.
  • skip-networking : Don’t listen for TCP/IP connections at all. All interaction with mysqld must be made via Unix sockets. This option is highly recommended for systems where only local requests are allowed. Since you need to allow remote connection this line should be removed from my.cnf or put it in comment state.

Step# 4 Save and Close the file

Restart the mysql server, enter:
# /etc/init.d/mysql restart

Step # 5 Grant access to remote IP address

Connect to mysql server:
$ mysql -u root -p mysql

Grant access to a new database

If you want to add a new database called foo for user bar and remote IP 202.54.10.20 then you need to type the following commands at mysql> prompt:mysql> CREATE DATABASE foo;
mysql> GRANT ALL ON foo.* TO bar@'202.54.10.20' IDENTIFIED BY 'PASSWORD';

How Do I Grant Access To An Existing Database?

Let us assume that you are always making connection from remote IP called 202.54.10.20 for database called webdb for user webadmin, To grant access to this IP address type the following command At mysql> prompt for existing database, enter:
mysql> update db set Host='202.54.10.20' where Db='webdb';
mysql> update user set Host='202.54.10.20' where user='webadmin';

Step # 5: Logout of MySQL

Type exit command to logout mysql:mysql> exit

Step # 6: Open port 3306

You need to open TCP port 3306 using iptables or BSD pf firewall.

A sample iptables rule to open Linux iptables firewall

/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 3306 -j ACCEPT
OR only allow remote connection from your web server located at 10.5.1.3:
/sbin/iptables -A INPUT -i eth0 -s 10.5.1.3 -p tcp --destination-port 3306 -j ACCEPT
OR only allow remote connection from your lan subnet 192.168.1.0/24:
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 3306 -j ACCEPT
Finally save all rules:
# service iptables save

A sample FreeBSD / OpenBSD pf rule ( /etc/pf.conf)

pass in on $ext_if proto tcp from any to any port 3306
OR allow only access from your web server located at 10.5.1.3:
pass in on $ext_if proto tcp from 10.5.1.3 to any port 3306  flags S/SA synproxy state

Source: cyberciti


Bonus: Enable mysql remote for user root:
mysql> update user set host='%' where user='root';
Nguyen Sĩ Nhàn

Friday, March 9, 2012

Tuesday, March 6, 2012

Changing the Asterisk manager password


If you are using the default password, you will see the message:

Warning: You are running FreePBX and Asterisk with the default manager pass. You should consider changing this to something else.
Running with the default password is a bad idea, simply because everyone else in the world knows it, and (if not properly firewalled, etc etc) could potentially connect to your asterisk box and do bad things(tm).
Warning: Don't get cute and try to use a password with non-alphabetic or non-numeric characters - things may break in strange ways if you try to use punctuation characters in passwords. Unless you really know what you are doing, stick to numbers and standard alphabetic characters. Also, you should probably read the comments below, to understand the importance of making a full backup before changing anything in case something goes wrong.

Changing the password

To do this, you need to edit two files: /etc/asterisk/manager.conf and /etc/amportal.conf

manager.conf

This controls the asterisk 'manager' users that are allowed to connect to the asterisk manager interface.
You can have as many users in here as you'd like (for example, an operator panel might use one) and in fact, you should have different users for each application.
FreePBX requires a user that has a definition like the following:
[admin]
secret = secret123password
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user

amportal.conf

There needs to be a corresponding entry in /etc/amportal.conf
AMPMGRUSER=admin
AMPMGRPASS=secret123password


Obviously you just need to use the same username (inside the square brackets) and password as above.
Once you have made the changes, you need to click on "Apply Configuration Changes" in order for the change to propagate throughout the system (If you don't see the orange "Apply Configuration Changes" bar, go to one of the GUI screens in the system and re-submit the page, no changes necessary). If you don't do this, then extensions_additional.conf will have stale data resulting in a broken phone system.

Source: .freepbx.org