[icon type=”mysql”]By default, remote access to the MySQL database server is disabled for security reasons. However, sometimes you need to provide remote access to database server from home or a web server. This post will explain how to setup a user account and access a MySQL server remotely on a Linux or Unix-like systems.
Task: MySQL Server Remote Access
You need type the following commands which will allow remote connections to a mysql server.
Step # 1: Login Using SSH (if server is outside your data center)
First, login over ssh to remote MySQL database server. You may need to login to your MySQL server as the root user:
ssh firstname.lastname@example.org ### login as the root using su or sudo ## su # or use sudo ## sudo -i
OR directly login as root user if allowed:
Step # 2: Edit the my.cnf file
Once connected you need to edit the MySQL server configuration file my.cnf using a text editor such as vi:
- If you are using Debian/Ubuntu Linux file is located at /etc/mysql/my.cnf location.
- If you are using Red Hat Linux/Fedora/Centos Linux file is located at /etc/my.cnf location.
- If you are using FreeBSD you need to create a file /var/db/mysql/my.cnf location.
Edit the /etc/my.cnf, run:
# vi /etc/my.cnf
Step # 3: Once file opened, locate line that read as follows
Make sure line skip-networking is commented (or remove line) and add following line
For example, if your MySQL server IP is 18.104.22.168 then entire block should be look like as follows:
[mysqld] user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp language = /usr/share/mysql/English bind-address = 22.214.171.124 # skip-networking .... .. ....
- bind-address: IP address to bind to.
- skip-networking : Donâ€™t listen for TCP/IP connections at all. All interaction with mysqld must be made via Unix sockets. This option is highly recommended for systems where only local requests are allowed. Since you need to allow remote connection this line should be removed from my.cnf or put it in comment state.
Step# 4 Save and Close the file
If you are using Debian / Ubuntu Linux, type the following command to restart the mysql server:
# /etc/init.d/mysql restart
# systemctl restart mysql
If you are using RHEL / CentOS / Fedora / Scientific Linux, type the following command to restart the mysql server:
# /etc/init.d/mysqld restart
# systemctl restart mysqld
If you are using FreeBSD, type the following command to restart the mysql server:
# /usr/local/etc/rc.d/mysql-server restart
# service mysql-server restart
Step # 5 Grant access to remote IP address
Connect to mysql server:
$ mysql -u root -p mysql
Grant access to a new database
If you want to add a new database called foo for user bar and remote IP 126.96.36.199 then you need to type the following commands at mysql> prompt:
mysql> CREATE DATABASE foo;
mysql> GRANT ALL ON foo.* TO bar@'188.8.131.52' IDENTIFIED BY 'PASSWORD';
How Do I Grant Access To An Existing Database?
Let us assume that you are always making connection from remote IP called 184.108.40.206 for database called webdb for user webadmin, To grant access to this IP address type the following command At mysql> prompt for existing database, enter:
mysql> update db set Host='220.127.116.11' where Db='webdb';
mysql> update user set Host='18.104.22.168' where user='webadmin';
Step # 6: Logout of MySQL
Type exit command to logout mysql:
Step # 7: Open port 3306
You need to open TCP port 3306 using iptables or BSD pf firewall.
A sample iptables rule to open Linux iptables firewall
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 3306 -j ACCEPT
OR only allow remote connection from your web server located at 10.5.1.3:
/sbin/iptables -A INPUT -i eth0 -s 10.5.1.3 -p tcp --destination-port 3306 -j ACCEPT
OR only allow remote connection from your lan subnet 192.168.1.0/24:
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 3306 -j ACCEPT
Finally save all rules (RHEL / CentOS specific command):
# service iptables save
A sample FreeBSD / OpenBSD / NetBSD pf firewall rule ( /etc/pf.conf)
Use the following to open port # 3306 on a BSD based systems:
pass in on $ext_if proto tcp from any to any port 3306
OR allow only access from your web server located at 10.5.1.3:
pass in on $ext_if proto tcp from 10.5.1.3 to any port 3306 flags S/SA synproxy state
Step # 8: Test it
From your remote system or your desktop type the following command:
$ mysql -u webadmin -h 22.214.171.124 -p
- -u webadmin: webadmin is MySQL username
- -h IP or hostname: 126.96.36.199 is MySQL server IP address or hostname (FQDN)
- -p : Prompt for password
You can also use the telnet or nc command to connect to port 3306 for testing purpose:
$ echo X | telnet -e X 188.8.131.52 3306
$ nc -z -w1 184.108.40.206 3306
Connection to 220.127.116.11 3306 port [tcp/mysql] succeeded!