MySQL Access Hosts Range

[carljohanlarsson]

Hi, Im trying to add a range to MySQL Access Hosts.

I can add for example 11.11.11.% but I cant add 11.11.%.%.

This seems a bit weird to me, I'm I missing something?

 

[Richard G]

Seems the % wildcard can only be used at one position. However, you could do something like %.hostname.com or if you need an ip range, it should be possible to use a subnet, at lease since mysql 8.0.23.

Which version Mysql are you on, and is it mysql or MariaDB?

 

[carljohanlarsson]

Thanks,
Its 10.5.16-MariaDB
OK, but if I can only use that in one position, then how can I for example whitelist 142.251.74.0/23, if I understand that correctly, that should be entered as 142.251.%.%, or have I misunderstood something (I really don't know what im doing)?

 

[Richard G]

I'm no Mysql guru, but I found several examples like this on the internet:
GRANT ALL PRIVILEGES ON database.* TO 'user'@'81.10.20.1/255.255.255.240';

Another way is to whitelist 142.251.74.0/23 for port 3306 in the firewall.

 

[carljohanlarsson]

Hi Richard, thanks. I just solved it. I found a way to write 142.251.74.0/23 with a subnet mask instead so DirectAdmin accepts the input. I don't really know what Im doing but it woks

 

[Richard G]

Oh that is nice. Exactly how did you write it now? Might be usefull to know for people running in to the same question in the future.

 

[carljohanlarsson]

Be warned, I have no idea what I'm doing, but it works.

So, the problem is that you cant add ranges in DirectAdmin for MySQL Access Hosts.

So, you cant add 64.18.0.0/20. But you can add subnet masks (I dfont really know how that works), but acc to https://www.calculator.net/ip-subnet-calculator.html 64.18.0.0/20 is the same as 64.18.0.0/255.255.240.0 and DirectAdmin accepts that input.


So if you need to allow a list of IP ranges, you can go to https://www.calculator.net/ip-subnet-calculator.html and convert them to another format.

Again, fair warning, I have no idea if I have exposed my server to something dangerous.

 

[Richard G]

Oke that is in fact the same as I said before, using the subnet as access mask. This is also described by other sites on the net.
You just have to take care that no ip's are included from that range which shouldn't have access.

However, that might also be blocked in the firewall if needed.

Good job, also for stating the warning for others trying this.