#1
  1. No Profile Picture
    http://stealthwd.ca
    Devshed Novice (500 - 999 posts)

    Join Date
    Dec 2005
    Posts
    706
    Rep Power
    203

    Allowable hosts and security


    Hey everyone. We host a bunch of websites through dreamhost. When you setup a database through dreamhost you can choose what IP address's can access the database. Dreamhost has a domain in there for itself, so that the websites can access the database. I've tried to setup a dynDNS address, that is working generally, to put in there, for the office, so that every time our IP address changes I don't need to login and update the IP address. For some reason our dynDNS address doesn't work with the allowable hosts.

    Anyways, this is my actual question... if I just allow ALL ip addresses to access the database is that a major security issue? Naturally there are login credentials required to access the database, is this enough security?
  2. #2
  3. No Profile Picture
    Problem Solver
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jan 2001
    Location
    Stockholm, Sweden
    Posts
    4,480
    Rep Power
    537
    Originally Posted by Dameon51
    I've tried to setup a dynDNS address, that is working generally, to put in there, for the office, so that every time our IP address changes I don't need to login and update the IP address. For some reason our dynDNS address doesn't work with the allowable hosts.
    Yes I can imagine that wouldn't work that good, especially since I think that you would get a delay in the DNS PTR updates after you have switched IP address that could screw things up for you.

    Originally Posted by Dameon51
    Anyways, this is my actual question... if I just allow ALL ip addresses to access the database is that a major security issue? Naturally there are login credentials required to access the database, is this enough security?
    That is a question only you can answer, how sensitive is your data? how long/complicated are your passwords? Do you have common login names in your list of credentials (like root, guest, etc).

    The IP address security is an extra precaution and as an example most software systems don't have that kind of security and rely solely on login/password combination.

    But in MySQL you can also set the ip-address with a wildcard like '10.0.0.%' , and since you usually only get ip-addresses from a certain range you can for example in MySQL set the ip-address filter to for example the 254 (10.0.0.%) of your neighbouring addresses could (if they had your login/password combo) the right to log in.
    That would mean that you effectively lock out most of the world, but you run a risk that one of your neighbours could issue an attack on your mysql server. Which is usually a ok scenario.

    So depending on how much your data is worth to you, you can choose different levels.
    But generally I would say that you will probably be fine with a long/complicated login/password combination.
    Only problem you have is to learn all people adminstering it to not create users like root/root.

    Comments on this post

    • Dameon51 agrees
    /Stefan
  4. #3
  5. No Profile Picture
    http://stealthwd.ca
    Devshed Novice (500 - 999 posts)

    Join Date
    Dec 2005
    Posts
    706
    Rep Power
    203
    Thanks, thats more or less the answer I was expecting. I still wish the dynDNS would work. Our address only changes like once a month, if that. Anyways, thanks for the info!

IMN logo majestic logo threadwatch logo seochat tools logo