I'm a new Linode customer.

I followed the LAMP install guide. I noticed that the "recommended setting" is to block Internet access for the root account.

How do I set things up so I can use the Windows mySQL GUI client, without opening up a potential security flaw?

Should I use phpmyadmin? Isn't that a potential security risk?

MySQL Workbench is a great GUI tool for mysql. You'll want to tunnel the connection over ssh. That way you can keep access to mysql blocked from the internet.

I see now. I figured there was some trick.

Someone should update the LAMP install guide to make that bit clearer.

I have another question. Suppose I follow the instructions on this page.

Do I set up the new_user account so that it's only accessible on localhost? Or, do I set it up so that it's accessible anywhere? I assume localhost, because the connection goes through the tunnel?

If the computer you'll be accessing from has a static IP address (an IP that's always the same), you can create a new user that can only be used from that IP, e.g. on your Linode, log in to MySQL and do:

GRANT ALL PRIVILEGES ON database.* TO 'user_name'@'192.168.1.50' IDENTIFIED BY 'password';

Replace database, user_name (single-quote needed), and 192.168.1.50 (single quotes needed) as needed. The 'IDENTIFIED BY 'password'' bit is only needed if the database user you're using doesn't already exist (if he does, you don't need the 'IDENTIFIED BY' part since he already exists with a password, you're just giving the user permission to log in from IP address 192.168.1.50).

If your access computer's IP address is dynamic (it changes every so often), then doing this is a BAD idea.

Unfortunately, since I don't use Windows, I can't offer any other suggestions. phpMyAdmin can be a security risk, though it should be fine IF AND ONLY IF you use a very strong password for your databases root user and normal user, and you keep phpMyAdmin up to date, though if you're able to go through an ssh tunnel and you don't need to give database access to anybody else, the ssh tunnel would definitely be the best option.

_________________
Kris the Piki Geeker

I think it's a bad idea to open direct connections to mysql at all. IIRC, by default connections to mysql are unencrypted - meaning it wouldn't be difficult for someone to eavesdrop on the connection.

@fsk, yes, only allow from localhost if you're going to be tunneling.

Also, if you choose to use phpMyAdmin... as Piki said, use strong passwords and keep it updated. Also limit where phpMyAdmin can be accessed from and use https otherwise your super secure password will be sent in the clear.

I have a dynamic IP, so that's out. I'll go with tunneling.

I have another security question.

I'm confused about when I was configuring PuTTY. What prevents someone else from downloading PuTTY, and attempting to connect to my Linode as root?

nothing. that's why you should not allow root to connect via ssh ever. you should also (if possible) only allow certificates via ssh, not passwords

MySQL Workbench has already TCP over SSH config. You don't have to mess up with PuTTY.

http://dev.mysql.com/doc/workbench/en/wb-manage-db-connections-ssh.html

What's the proper way to secure the root account? Where is the guide for this?

/etc/ssh/sshd_config

find PermitRootLogin and set to no

An extra way to secure ssh is to use ssh keys. There's a program (I think it's called PuttyGen) to do this for Putty. It's not necessary so long as you use strong ssh passwords, but it can help keep people from trying to brute-force (guess) your ssh password. The downside is if you use your private key, you'll have to backdoor your Linode via Lish to upload a new public key.

_________________
Kris the Piki Geeker

These two guides may be of use to the original poster:

General SSH options:
https://help.ubuntu.com/community/SSH/O ... onfiguring

SSH Key Auth:
https://help.ubuntu.com/community/SSH/OpenSSH/Keys

If you set up SSH to only allow key authentication, only people with your specific SSH key file can connect, even if they know your password. On Windows, I personally run a VirtualBox VM of Debian locally to generate keys (so I don't have to bother with the Windows tools), and then use the Puttygen tool to convert my SSH key into something Putty can use.

It'll take you a little while to get set up, but once you have it figured out, you'll have rock-solid SSH security

And as other users have mentioned, there are zero good reasons to allow direct MySQL connections. It sounds like MySQL does have built-in SSH support, however if you learn how to tunnel manually over Putty, you can forward anything (such as testing Apache over SSH before allowing general connections, etc). Either option works.