Does it offer any security benefits to change MySQL's default tcp port?

Title has it all, is it recommended practice on production servers to change the default port?


Solution 1:

Others on this system (and elsewhere) have convinced me that there's nothing necessarily wrong with security-through-obscurity, but it must never be your only line of defence.

Run it on another port, by all means, but don't let that stop you from firewalling aggressively, ensuring that only strong passwords are used, and wrapping the connection in SSL or (better) a VPN, if external systems must connect to your MySQL service across the public internet.

If your only defence is to run it on a non-standard port, someone else running a port scanner will find it sooner or later (probably sooner), and your defences are holed.

Solution 2:

Being on a non-standard port protects you from brute-force scripts that assume the standard port, but:

  • This will not protect against scripts that do a port-scan or similar to see if mysql is listening somewhere other then the default port, or something that manages to glean the right port to try from information elsewhere
  • If your database server is acting only for an application (i.e. it is serving web applications, not users directly) then nothing but your web server machines should be able to connect anyway: make sure what-ever port it is running on is protected so only the few hosts that should connect can connect
  • If users other than an application user do need to connect, good password policies and correctly managed permissions are what is needed (and perhaps only let them connect over a VPN or SSH tunnel rather than opening the mysql port to the wider network)

Having it on a non-default port does no harm, but unless the other security is in place it does little real good (it at best increases the amount of time between successful hacks rather than removing the risk) and with the other security in place moving to a different port won't be needed.