[BlueOnyx:15519] Re: MySQL Tunneling SSH
Michael Stauber
mstauber at blueonyx.it
Mon Jun 9 14:52:00 -05 2014
Hi Matt,
> Last night, I performed some overdue yum updates to one of our dev
> servers. Since the update, using SSH tunneling to log in to MySQL
> has stopped working. The error I get is: Lost connection to MySQL
> server at 'reading initial communication packet', system error: 0.
Yeah, we turned that off as there was a creative way to use TCP
forwarding for spamming. It still required that someone knew or had
brute-forced login details of a user. But once they had it, they could
use TCP forwarding to send SPAM as that user even if the user in
question had no shell access. Which then was pretty difficult to detect
based on the logfiles alone.
See: "[BlueOnyx:15118] OpenSSL (CenOS-6.5/SL-6.5) CVE-2014-0160" and
following.
You can enable TCP forwarding on a per user basis as outlined here:
"[BlueOnyx:15096] Re: Securing against invading spammers"
It is possible to set certain SSH options on a per-user basis in
sshd_config - such as this:
Match User xyz
X11Forwarding no
AllowTcpForwarding yes
That would allow TCP forwarding for user "xyz", but for nobody else.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list