SEO

Hi
I have a mysql database instance running on a box that is behind a
fire-wall. I want to disable some users access to the database when
they are logging in from outside the firewall (internet). I know that
it is possible to deny access to static IP addresses at the firewall.
However, some of my users can have dynamic IP's (eg. modem). Is there
anyway to determine the IP address of the user and deny access if it is
not an intranet IP.

Thanks for your help.

soup_or_power@yahoo.com wrote:
> anyway to determine the IP address of the user and deny access if it is
> not an intranet IP.

I would use the GRANT statement to give these users access only when
connecting from the intranet. For example:

GRANT ALL PRIVILEGES ON databasename.* TO 'username'@'192.168.0.%'
IDENTIFIED BY 'password';

Assuming that your intranet subnet is on 192.168.0, from the perspective
of the MySQL server host.

You should REVOKE any other privileges the user has before doing this,
or else both sets of privileges will be in effect and the more
permissive one will allow them in.

Regards,
Bill K.

>I have a mysql database instance running on a box that is behind a
>fire-wall. I want to disable some users access to the database when
>they are logging in from outside the firewall (internet). I know that
>it is possible to deny access to static IP addresses at the firewall.

With a decent firewall at your Internet gateway, you should be able
to deny direct access to the database:

- *ANY* connections coming from outside to port 3306.
- Connections coming from outside to port 3306 from any but a short
list of known-permitted netblocks.

This does not, however, prevent them from logging in to a host in
your intranet via telnet or ssh, then accessing the database from
there. To block that you probably block any telnet or ssh connection
from outside.

Using the MySQL permissions system, using GRANT you should be able to allow
access only from specific netblocks for specific users.

If you are talking about accessing the database *THROUGH A WEB SITE*,
unless you cut off the database from the web site entirely, you need
to enforce the limits at the web site. There are a number of
ways to do this:

- Apache .htaccess files
- Using $REMOTE_ADDR in CGI programs.
- Using $_SERVER['REMOTE_ADDR'] in PHP.

>However, some of my users can have dynamic IP's (eg. modem). Is there
>anyway to determine the IP address of the user and deny access if it is
>not an intranet IP.

Use a white list, not a black list here. You probably know which IPs
in your intranet are dialups (you probably don't have your own dialups
at all, they belong to your ISP or some other ISP).

Gordon L. Burditt