0

I have a bunch Raspberry Pis collecting data from behind client firewalls. I want to start sending this data to MYSQL server. Because the Raspberry Pis do not have static IP addresses, I obviously feel vulnerable opening up my database to the public. For SSH we have Fail2Ban, but for MYSQL I have found no documentation or recommended equivalent. Is it possible or even desirable to set up Fail2Ban for MYSQL in this context?

My alternatives seem to be a mix of using a VPN, wildcard IP addresses, and port knocking. I'm not too fond of having potentially insecure RPis connecting to my server via SSH if I can help it. I imagine the best approach is strict IP banning.

JHAWN
  • 11
  • 1
  • 3
  • What is your fear exactly? When your PIs use a very limited mysql user you already reduce the possible attack vectors to an probably acceptable size. – Samuel Jan 30 '14 at 10:20
  • Opening up a port to the public at large would subject the server to brute force attacks. Sure I've got long passwords, but perhaps attackers may succeed, or at minimum cause a DoS. – JHAWN Jan 30 '14 at 10:25
  • @JHAWN - if your MySQL server is properly secured, your privileged users shouldn't be able to connect from IPs you don't control. A brute force to any privileged user would be impossible without an exploit in the authentication system. If you limit the behavior of the user for log reporting to only be able to call a sproc that can add parametrized records, then you have almost no exposed surface area. – AJ Henderson Jan 30 '14 at 14:37
  • You could always firewall off to the IP range of the clients. – Scott Pack Feb 01 '14 at 19:45
  • Duplicate of: [How do I setup monitoring of MySQL with Fail2ban?](http://serverfault.com/q/253452/6800) – tylerl Feb 03 '14 at 03:58
  • In this setup, all these devices are authenticating directly against your SQL server with the possibility to run any SQL commands. If any of your clients does some reverse engineering, your database passwords will leak, no matter how secure the connection between the client and the database is. Instead, write an API that validates your log data format and saves the logs to the database. – Esa Jokinen Feb 22 '19 at 14:27

1 Answers1

2

Use ssh to forward a port securely to the machine running MySQL, using a key for authentication. To make this work, you need to not use per-IP authentication, as thge IPs are changing. Attacks on ssh will then trigger your fail2ban system, while authenticated connections won't.

davecb
  • 313
  • 1
  • 6