EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Limiting mysql port forward connection

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#2799
Posted: 04/27/2007 08:12:04
by steve orford (Standard support level)
Joined: 03/07/2007
Posts: 22

Two Questions :
1. I've used local port forwarding to get a connection up to the server. That now works as it should if I useseperate connection and mysql exe's. If I put the ssh connection in the same program that uses mysql it times out..suggestions?

2.Is it possibel to limit the availability of the connection to third party software. For instance, if I run my software and then toad, I can connect to the mysql box in toad, which is what I really don't want users to do (third party users, not in our company).
#2800
Posted: 04/27/2007 08:39:53
by Ken Ivanov (EldoS Corp.)

Quote
1. I've used local port forwarding to get a connection up to the server. That now works as it should if I useseperate connection and mysql exe's. If I put the ssh connection in the same program that uses mysql it times out..suggestions?

It is a common problem caused by the way in which MySQL library uses sockets. Unfortunately, there's no solution at the moment for .NET edition. VCL edition should work correctly.

Quote
2.Is it possibel to limit the availability of the connection to third party software. For instance, if I run my software and then toad, I can connect to the mysql box in toad, which is what I really don't want users to do (third party users, not in our company).

Would firewall be a better solution for this?

Actually, with high-level forwarding classes you can access information about remote endpoint (via the corresponding socket object) using TElSSHForwardedConnection.Socket property. It can be checked inside the TElSSHLocalPortForwarding.OnConnectionOpen event handler.
#2801
Posted: 04/27/2007 09:03:48
by steve orford (Standard support level)
Joined: 03/07/2007
Posts: 22

I'm using the VCL edition. I'll check everything again to make sure I've set it up correctly.

As far as a firewall is concerned, its not really possible. We have many users from differetn locations using our server - I want to use SSH and port forwarding to make the connection, but don't want the end user to then be able to browse the database using another third party piece of softwae. How does information about the TElSSHForwardedConnection.Socket property chnage this?
#2803
Posted: 04/27/2007 10:51:08
by Ken Ivanov (EldoS Corp.)

Quote
I'm using the VCL edition.

Please consider using dbExpressForwarding sample application as a guide. It should work with MySQL library correctly.

Quote
I want to use SSH and port forwarding to make the connection, but don't want the end user to then be able to browse the database using another third party piece of softwae.

I am not sure that I understand you right. What do you mean by saying 'third party software'? Is it third party SSH forwarding tool or third party database client or what? It is important to find the level where third party users have to be rejected.
#2804
Posted: 04/27/2007 12:20:09
by steve orford (Standard support level)
Joined: 03/07/2007
Posts: 22

I was using the simpleportforwarding app as a guide up to this point. I'm using Corelabs drivers, but I'll check out the dbexpress one too.


I'm interested in stopping users using the secure connection setup within the application to then use any mysql client (toad, third party query tools) to gain access to the underlying database. We want to give acces to the data, not the data structure if at all possible. I really don't want people running queries other than through my app.
#2806
Posted: 04/28/2007 03:27:17
by Ken Ivanov (EldoS Corp.)

Thank you for the explanation, I got the idea.

Unfortunately, we cannot help you with it. SSH forwarding client works like a transparent proxy, reading data from incoming connections and then sending them to SSH server (which, in turn, sends them to the destination server). SSH client does not 'know' the kind of data being transferred (i.e., is it SQL, HTTP or e.g. SMTP traffic). So it's a task of user application (i.e., *your* application) to check if the data being forwarded are produced by your database client or by third-party database client.

As a quick-and-dirty solution, we can recommend you to insert some custom identifier ('magic value') to the requests generated by your client application and check this value in SSH forwarding application before passing the request to TElSSHTunnelConnection.SendData() method.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 2444 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!