Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Either use iptables to lock it down to a particular IP or set of IPs. Or setup ssh tunnelling to expose a remote mysql server as a local port. You should assume mysql is insecure and needs protecting.


You're just swapping one exposed service for another in that case. Ie, OpenSSH instead of MySQL.

On other other hand, I'd trust OpenSSH more than MySQL.


Well, you're reducing the exposed services from two (mysql + ssh), to one (ssh). Which is always a good idea.

Also agreed. I'd trust OpenSSH to do security better than MySQL.


Having OpenSSH running is pretty much essential for any machines you remote administer. Some things you can do: disable password auth, use public keys. Disallow root logins. Listen on a non-standard port. Configure a hardened "jumphost" as your interface between your machines and the outside world.


Only if you make the assumption that SSH is already exposed. Which most of the time, it doesn't need to be.


Also: SSH is considerably more battle-tested in this configuration. There's a lot to be said for being aligned with how the developers imagine a program is used




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: