I need to open the port for my MySQL server to the outside and from what I read, the default configuration is not secure nor encrypted.
For that, I have a few solutions in mind with their reason but I'd like to know, from a better security point of view, if I'm missing something.
First, the initial idea was to set up an SSH tunneling, but I'm afraid the connection could be lost from time to time (even if I setup with "autossh" system to automatically reconnect when the connection stops). My main concern is that I'm afraid to lose some requests (between the moment the ssh tunneling stops, and the time autossh takes up a new connection).
So I thought about opening MySQL for the outside. I'm aware this is not the best option without working on securing it, but if I add those steps, would it be better?
- Change the port for the outside. This won't stop someone to find the correct port, but it will at least stop the bots that target directly 3306
- Set up Mysql SSL. This will stop transmitting data in clear between the client and the server, and avoid MitM attacks.
- Allow only from certain IPs. This will ensure only the IPs I want will be able to connect. This would be managed by IPtables
- root will be only available from localhost. And all other users will have restricted access (to their database)
With this configuration in mind, do you think MySQL would still be vulnerable?
My only idea is if someone would access my web server, and knows the login/password, but I believe that once someone has the login/password, security becomes useless (because it has already been breached to obtain the credentials)