I have been using the following method for securing connections from client to database Client Web Server Side: box1# /usr/local/sbin/stunnel -c -p /usr/local/ssl/certs/stunnel.pem -d 127.0.0.1:3306 -r 10.10.10.5:3306 Server MySQL Side: box2# /usr/local/sbin/stunnel -p /usr/local/ssl/certs/stunnel.pem -d 10.10.10.5:3306 -r 127.0.0.1:3306 /usr/local/bin/safe_mysqld --bind-address=127.0.0.1 If you start mysql only on the 'lo' interface then the only way to talk to it is with a stunnel connection from the ethX to lo, protecting mysql to only talking ssl. Otherwise you will have to change the ports. Then have your database interactions go to 127.0.0.1:3306. Hope this helps. "Thomas T. Veldhouse" wrote: > Did you try telnet to it. Maybe it is from MySQL permissions? > > Also, try localhost instead of hermes. > > ssh -L 13306:localhost:3306 bender.sistina.com > mysql -h localhost -P 13306 -u$USERNAME --p$PASSWORD > > Tom Veldhouse > veldy at veldy.net > > ----- Original Message ----- > From: "Ben Lutgens" <blutgens at sistina.com> > To: <tclug-list at mn-linux.org> > Sent: Thursday, March 08, 2001 4:33 PM > Subject: Re: [TCLUG] tuneling mysql though ssh > > On Thu, Mar 08, 2001 at 03:51:55PM -0600, Thomas T. Veldhouse wrote: > >I may miss what you are doing (I use the SSH2 client from ssh.com). > > > >But I think you want: > > > >ssh -L 13306:hermes.sistina.com:3306 bender.sistina.com > >mysql -h hermes.sistina.com -P 13306 -u$USERNAME --p$PASSWORD > > I did this exactly as above and still get ERROR 2203: Coan't connect to > MySQL > server on 'hermes.sistina.com' (111) > > Also when I do it this way with (for example) ftp ports I can't connect at > all. I am pretty sure the first part is > localport:remotehost:remoteport > > > > >Is there any reason you can't just use 3306 on hermes as well? So ... > > > >ssh -L 3306:hermes.sistina.com:3306 bender.sistina.com > >mysql -h hermes.sistina.com -u$USERNAME --p$PASSWORD > > > > > >Tom Veldhouse > >veldy at veldy.net > > > >----- Original Message ----- > >From: "Ben Lutgens" <blutgens at sistina.com> > >To: <tclug-list at mn-linux.org> > >Sent: Thursday, March 08, 2001 3:00 PM > >Subject: [TCLUG] tuneling mysql though ssh > > > >Hi all, we wanna secure the way our webserver talks to our database. We'd > >like > >for all mysql work to be done though an ssh tunnel. I found very little > >documentaion on this save a few mailing list posts. Essentially here's what > >I > >am doing. > > > >1.)in one terminal from hermes.sistina.com > >ssh -L 13306:bender.sistina.com:3306 bender.sistina.com sleep 20 > > > >2.) then from a nother shell on the same machine > >mysql -h hermes.sistina.com -P 13306 -u$USERNAME --p$PASSWORD > > > >I have tried the tunnel with ftp, telnet, and I get my mail from my imap > >server this way with fetchmail but for some reason I get > >ERROR 2003: Can't connect to mysql server on 'hermes' (111) > > > >It's my understanding that with the ssh command above anything trying to > >connect to port 13306 on the local machine is tranparently pushed though > the > >tunnel to the port on the other end (in this case 3306 the default mysql > >port) > > > >When I do this with ftp, I can connect, login and all is well. But I get > >illegal port command errors. My research has told me that wu-ftpd don't > like > >when you tunnel to it. > > > >Has anyone done this before? Is there a better way to secure database > >transactions? > > > > > >_______________________________________________ > >tclug-list mailing list > >tclug-list at mn-linux.org > >https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > -- > Ben Lutgens cell: 612.670.4789 > Sistina Software Inc. worl: 612.379.3951 > Code Monkey Support (A.K.A. System Administrator) > > "It's hard to believe that's the same frail woman who once sprained her > wrist > from having too much dip on a cracker!" -- Frazier Crane > > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list