MariaDB through SSH tunnel only possible using admin account

Currently reading
MariaDB through SSH tunnel only possible using admin account

Regarding the firewall, at the moment I do not use Docker and I only use the DSM builtin firewall. The rules are set quite tight. There is also a NAT / SOHO router between NAS and the internet with the bare minimum ports open needed to access services on the NAS like poort 21, 80, 443, 1194, 5001, 6690 and 55536-55899. All is well when using DSM builtin MariaDB. No issues.

The issues started when I deployed the official MariaDB Docker instance. I have a bad experience with the Docker setup. The MariaDB Docker should not phone home, or whatever it was doing at 20 mbit/s.
 
minimum ports open needed to access services on the NAS like poort 21, 80, 443, 1194, 5001, 6690 and 55536-55899

just pin there a transparent:
your-are-welcome-png-transparent-images-11622181068t4izrl7iiw.png


... here are a few people who will be happy to help you set up security so you don't have to open the door wide open. It just would take more modesty from you.
Same for the docker performance - you can't blame docker deployment when you don't understand this environment.
We all learn here, all our lives.
 
I'm not exactly sure what's been going on here. But I thought that the Docker approach was on the side for the moment and that the necessary access had been achieved. Personally I wouldn't permit SSH from the Internet, rather establish a VPN connection to the router or NAS and then establish the SSH session. To permit SFTP I use a different TCP port than that configured for SSH.

If @frankhe doesn't want to continue with Docker then there's no point in pushing it, and no reason to take umbrage. The exchanges have been perfectly well mannered. Maybe I've misread this.
 
I'm not exactly sure what's been going on here. But I thought that the Docker approach was on the side for the moment and that the necessary access had been achieved. Personally I wouldn't permit SSH from the Internet, rather establish a VPN connection to the router or NAS and then establish the SSH session. To permit SFTP I use a different TCP port than that configured for SSH.

If @frankhe doesn't want to continue with Docker then there's no point in pushing it, and no reason to take umbrage. The exchanges have been perfectly well mannered. Maybe I've misread this.

My question was solved long time ago. Thank you again for that.

SSH is a pretty standard protocol to use for tunnelling to a (MySQL/MariaDB) database. In my case I use a client called Navicat. I made sure I am using a custom port which am not going to disclose here. Port 22 is totally stealth.

I also use OpenVPN for tunnelling, but this works for my workstation as a whole. The advantage of SSH-tunnelling to connect to MariaDB is that it is application based and it therefore gives me more flexibility. For instance connecting to multiple databases on multiple sites at once. This would not work in the same way when using VPN tunnelling.

I would love to learn more about securing my devices but I do need people from the outside world to be able to access services on the NAS. I think I got the bare minimum of ports open to run FTP, a web service, OpenVPN-server and Synology Drive client sync. All these services use SSL / TLS connection encryption and I do not see how this a problem. The whole world is connected using SSL / TLS. I do not see how this can be considered to be wide open? I do not consider air gap to be very realistic.

As a PHP developer I am indeed not an expert on Docker and I would actually expect the DSM firewall to take care of securing outside network traffic to DSM Docker. If someone is telling me that Docker is not behind the DSM firewall then I might think twice before using it. I would like to see simplicity. Maintain one firewall. Not maintain extra firewalls for Docker containers.

I am perfectly happy with the current situation using the Synology MariaDB package. I do not need Docker. I tested a Docker - MariaDB instance and it went pear shaped. I am not planning to go down that road at the moment.
 
My question was solved long time ago. Thank you again for that.
Thought so, and you're welcome.

Using the DSM firewall you can use geo-location (country) based source IP rules to either allow from a few counties or deny from some. Of course people do use VPN services to appear to be from not their actual country, but this can reduce some of the unwanted incoming requests. You can also use the Auto Block feature (can't remember if this is applied to SSH or not).

If you haven't already then you may want to investigate additional protection by using a router/firewall that has intrusion detection and prevention features (IDPS). This will act on the connections that are permitted by the firewall policy but trigger malicious and undesired behavioural events. You can then decide whether to block or just alert/log the attempt.

I'm not going to push Synology's SRM routers at you but the Threat Prevention package does a good job of denying/alerting connections that would otherwise have reached my NAS. There are other vendor options for home (I think Netgear have them) and business (the main names all have it, e.g. Check Point, Fortinet, and Palo Alto). If you're in business then you may already be using such a device.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Replies
1
Views
6,665
I would not trust secure erase, without a visual surface check of the entire drive. There is no...
Replies
1
Views
3,737
  • Question
Just for HEAVEN'S SAKE please realize that "Last Run Time" is not a system-filled "most recent run time"...
Replies
6
Views
896
Ofc, but initially nothing was said by OP regarding what account is in question here. So didn’t want to...
Replies
3
Views
2,817
I use mRemoteNG (still uses putty under the hood for ssh connections), which organizes the connections...
Replies
4
Views
1,712

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top