From: Davide M. <da...@ms...> - 2017-09-12 14:01:35
|
> -----------Bill Shirley--------------------- > Il 2017-09-11 19:01 Bill Shirley ha scritto: > Both are good suggestions: block all IP addresses at the firewall > except your slave, > configure MySQL SSL. See: > > https://www.mail-archive.com/sho...@li.../msg20502.html > > Of course, you'll have to create the certificates and tweak the > values in the > CHANGE MASTER. > > Bill > [..] > -----------Phil Stracchino------------------- > If your replication traffic goes outside your firewall, consider > requiring SSL on the replication connection. You will have to > configure > this on both the master and the slave. > Thanks Bill and Phil you're perfectly right, in fact I have already configured (initially) both the SSL connection and the SSL user! >> -----------Dominic Benson------------------- >> [..] >> If you haven't already (not sure from the wording of your original >> post) >> you should also restrict the rule to just the source IP of the >> replica, >> otherwise you're bound to get a lot of attempts to break in to the >> database. I have not thought about this, the following example (my servers are directly connected to the net) could go? # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP ACCEPT net:1.2.3.4 fw tcp 3306 many many thanks to all! Davide |