Editing Software setup for db-class (section)

== MySQL ==

Ubuntu commands:
<pre>$ sudo apt-get install mysql-server mysql-common mysql-client</pre>

Fedora Core 15 commands:
<pre>[ptay@robot logs]$ sudo yum groupinstall "MySQL Database"
[sudo] password for ptay: 

//////////////omitting text/////////////////////

Installed:
  MySQL-python.x86_64 0:1.2.3-1.fc14                                            
  libdbi-dbd-mysql.x86_64 0:0.8.3-6.fc14                                        
  mysql.x86_64 0:5.1.58-1.fc14                                                  
  mysql-connector-odbc.x86_64 0:5.1.5r1144-7.fc13                               
  mysql-server.x86_64 0:5.1.58-1.fc14                                           
  perl-DBD-MySQL.x86_64 0:4.017-1.fc14                                          
  unixODBC.x86_64 0:2.2.14-12.fc14                                              

Dependency Installed:
  libdbi.x86_64 0:0.8.3-4.fc14        libdbi-drivers.x86_64 0:0.8.3-6.fc14     
  perl-DBI.x86_64 0:1.613-1.fc14     

Complete!</pre>

'''Enable MySQL at specific run levels'''

Note: I did 3 & 5
<pre>[ptay@robot logs]$ sudo chkconfig --level 35 mysqld on
[ptay@robot logs]$ chkconfig --list | grep -i mysqld
mysqld          0:off   1:off   2:off   3:on    4:off   5:on    6:off</pre>

'''Start MySQL daemon (mysqld)'''

As root
<pre>
[root@robot ~]# service mysqld restart
Stopping mysqld:  [  OK  ]
Initializing MySQL database:  Installing MySQL system tables...
OK

//////////////omitting text/////////////////////

Starting mysqld:  [  OK  ]</pre>

'''Run MySQL secure installation script'''

As root
<pre>[root@robot ~]# /usr/bin/mysql_secure_installation

//////////////omitting text/////////////////////

Set root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!</pre>

'''Test MySQL'''

As any user
<pre>[root@robot ~]# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.1.58 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
+--------------------+
2 rows in set (0.00 sec)

mysql> create database test;
Query OK, 1 row affected (0.01 sec)
mysql> use test
Database changed
mysql> use test;
Database changed
mysql> drop table if exists T;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> create table T (A text, B text);
insert into T values ('Hello,', 'world!');
select * from T;Query OK, 0 rows affected (0.06 sec)

mysql> insert into T values ('Hello,', 'world!');
Query OK, 1 row affected (0.00 sec)

mysql> select * from T;
+--------+--------+
| A      | B      |
+--------+--------+
| Hello, | world! |
+--------+--------+
1 row in set (0.00 sec)

mysql> \q
Bye</pre>

=== Set up MySQL for remote access ===

MySQL supports TCP/IP for remote connectivity. I set up MySQL server to accept TCP connections (unsecure) on my local area network (trusted network) & SSH for remote connections.

==== Update firewall ====

By default iptables will not be allowing TCP port 3306 (default port for mysql server).

Confirm if 3306 is in iptables
<pre># # cat /etc/sysconfig/iptables | grep 3306
#</pre>

Add rule to allow TCP connections from particular local area network [you insert your IP address & subnet for your setup]
<pre># iptables -A INPUT -p tcp -s 192.168.1.0/24 -m state --state NEW -m tcp --dport 3306 -j ACCEPT</pre>

If you want to allow TCP connections from any network you can use this command
<pre># iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT</pre>

'''NOTE: Use one of the rules above not both.'''

Save the iptables rules to make them persistent [RHEL/CentOS/Fedora Core support this command] 
<pre># /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]</pre>

Confirm new rule was added to configuration file 
<pre># cat /etc/sysconfig/iptables | grep 3306
-A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT</pre>

Restart iptables
<pre># service iptables restartiptables: Flushing firewall rules: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]</pre>

===== Trouble shooting firewall =====

You may need to move your rule above another rule that rejects your MySQL traffic. Use text editor to move your new rule above other rule in /etc/sysconfig/iptables

To quickly trouble shoot firewall issue simply disable firewall & test MySQL connection. If MySQL connectivity works then double check your firewall rules.

Disable IPtables: <code># service iptables stop</code>

Enable IPtables:  <code># service iptables start</code>

'''Enable iptables when you're done testing connection!!!'''

==== Update SSH server ====

SSH server must be configured to support TCP forwarding.

Check that AllowTcpForwarding is enabled in ssh daemon configuration
<pre>[root@robot ~]# cat /etc/ssh/sshd_config | grep -i tcpforwarding
AllowTcpForwarding yes</pre>

If AllowTcpForwarding is set to '''no''' use text editor to change & save setting then restart sshd
<pre># vi /etc/ssh/sshd_config
# service sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]</pre> 

==== Update SELinux ====

Unable to connect MySQL client over tunnel using SSH when firewall & SSH server configured? Check SELinux!

The ssh client might produce some error with SSH_OPEN_ADMINISTRATIVELY_PROHIBITED message in it.

You may also see an error message in /var/log/secure on the SSH server that looks like this:
<pre>error: connect to 192.168.1.2 port 3306 failed: Permission denied</pre>

Verify enforcement level of SELinux
<pre>$ getenforce
Enforcing</pre>
Enforcing means SELinux is configured & enforcing SELinux policies

Verify SELinux sshd forward port connections setting
<pre># semanage boolean -l | grep sshd
sshd_forward_ports             -> off   allow sshd to forward port connections</pre>

Set SELinux sshd to allow forward port connections persistently
<pre># setsebool -P sshd_forward_ports on</pre>

Verify SELinux sshd forward port connections setting
<pre># semanage boolean -l | grep sshd
sshd_forward_ports             -> on    allow sshd to forward port connections</pre>

==== Test MySQL connectivity tunneling through SSH ====

On my Window clients I use a handy utility called [http://www.bitvise.com/tunnelier Bitvise Tunnelier]. Complete Login & C2S Forwarding tab in Bitvise.

* Login tab
** Host = hostname or IP address of your SSH server
** Port = 22
** Username = user name on SSH server
** Password = user name password on SSH server
* C2S Forwarding tab (select Add)
** Status = enabled
** Listen Interface = 127.0.0.1
** List. Port = 3307
** Destination Host = hostname or IP address of MySQL server (mine was private IP address as I connect to public IP from Login tab then forward to private IP)

On Linux clients use terminal.
<pre>$ ssh -v -f -N -L 3307:192.168.1.2:3306 username@hostname_of_mysql_server</pre>

Launch your MySQL client.

Your MySQL client should connect to localhost or 127.0.0.1 over port 3307 (or any port you used in ssh command above).

Your local machine will accept port 3307 traffic and forward that to MySQL server over secure encrypted SSH tunnel. SSH server will perform TCP forwarding of your 3307 port to 3306 on MySQL server.

<center>[[My db-class.org notes|To My db-class.org notes]]</center>