我正在尝试设置mysql,以便用户'imbnpandmkexby'可以从任何远程IP地址或本地连接到数据库'de0rllo43ct314'。
===========这些是我采取的步骤:===========
1)在我的MySQL配置中,我已经注释掉了bind-address行,验证了skip-networking不在文件中,并重新启动了mysql:
#/etc/mysql/my.cnf:
#bind-address = 127.0.0.1
2)我在所需数据库'de0rllo43ct314'上为用户'imbnpandmkexby'添加了远程权限(使用'%'):
[ remote ] > mysql -u root -p
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'localhost' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'127.0.0.1' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > GRANT ALL PRIVILEGES ON de0rllo43ct314.* TO 'imbnpandmkexby'@'%' IDENTIFIED BY 'passwordhere' WITH GRANT OPTION;
[ mysql ] > FLUSH PRIVILEGES;
[ mysql ] > select * from mysql.user\G
输出:
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password:
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password:
...
3)此时我可以使用Sequel Pro连接SSH隧道。用户似乎拥有所有正确的权限。
4)接下来,我打开了一个防火墙端口并验证MySQL正在侦听该端口:
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
[ remote ] > sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
由于此框位于amazon ec2上,我还在其安全组中打开了3306端口:
5)我可以telnet到端口:
Trying 00.00.00.000...
Connected to ec2-00.00.00.000.us-west-2.compute.amazonaws.com.
Escape character is '^]'.
===========这就是我要去的地方:===========
显示<00> 00.00.00.000而不是实际IP当我尝试从本地计算机连接到数据库时,它不起作用:
[ local ] > mysql -u imbnpandmkexby -h 00.00.00.000 -p
[ local ] > Enter password:
[ local ] > ERROR 2003 (HY000): Can't connect to MySQL server on '00.00.00.000' (61)
我可以连接到dreamhost服务器上的数据库,所以它似乎不是我的一块:
[ local ] > mysql -u dreamhost_user -h mysql.dreamhostdomain.com -p
[ local ] > Enter password:
[ local ] > Welcome to the MySQL monitor. Commands end with ; or \g.
我是否缺少一层权限?
答案 0 :(得分:2)
好的,终于明白了!我有两个问题的组合:
1)我的SQL规则是在iptables中的REJECT规则之后出现的:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4505
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent
ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
我所做的是删除最后一条规则,并在索引10重新添加:
[ remote ] > iptables -vnL --line-numbers ##Prints rules along with line numbers
[ remote ] > iptables -D INPUT 14
[ remote ] > sudo iptables -I INPUT 10 -p tcp --dport 3306 -j ACCEPT
我知道这是朝着正确方向迈出的一步,因为我现在可以通过telnet连接到盒子了(&#34; telnet 00.00.00.000 3306&#34;)
2)我遇到的第二个问题是我的MySQL用户只在&#39; localhost&#39;上设置了密码。用户,而不是有权访问&#39; 127.0.0.1&#39;或者&#39;%&#39;。事实证明,每个用户 - 主机组合都需要密码。现在当我运行&#34;从mysql.user \ G&#34;中选择*在MySQL控制台中,我得到:
*************************** 6. row ***************************
Host: localhost
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 7. row ***************************
Host: 127.0.0.1
User: imbnpandmkexby
Password: *0000000000000000000000
...
*************************** 8. row ***************************
Host: %
User: imbnpandmkexby
Password: *0000000000000000000000
...
答案 1 :(得分:0)
在mysql服务器上运行tcpdump以确保tcp / 3306实际进入该框,或查看其被阻止的位置。
如果连接到远程tcp / 3306挂起和超时,它被防火墙黑洞或拒绝。如果它通过cant connect立即返回,它最有可能一直到服务器,但被拒绝(并返回tcp响应)。