undefined | Better HN

0 pointssnowwrestler12y ago0 comments

The most secure setup for administrative services is to whitelist their ports by IP address. For example port 22 (SSH) on our servers can only be hit by known-good IP addresses. You can do the same for MySQL's port, or use an SSH tunnel to hit MySQL through localhost.

0 comments

4 comments · 1 top-level

gonnakillme12y ago· 3 in thread

Restricting SSH to "known-good" IP addresses is less flexible and less secure than public key authentication.

(Restricting mysql access to localhost and using an SSH tunnel is fine practice, AFAIK.)

snowwrestlerOP12y ago

It is less flexible, but it is more secure than using public key authentication by itself (public key auth can be used in conjunction with an IP whitelist).

gonnakillme12y ago

I'm not sure an IP whitelist gives you anything -- it provides a handy mechanism for escalating privileges, both for intrusions on a machine at the "known-good" IP and for unintended network access in general.

superuser212y ago

Um. No. Bouncing traffic through one device out of probably many at your house (when's the last time you updated the firmware on your TV? Your router?) is a lot more feasible than breaking public key encryption.

j / k navigate · click thread line to collapse