How do I prevent remote acces to MySQL?

mysql security

Solution 1:

As @Bruno answered, edit my.cnf and set the bind address.

The other way is to set access control at MySQL user level. The Grant syntax shows this. Users accounts can be set to accessible from a particular network IP ( like 127.0.0.1 or localhost or %.%.%.% )

Solution 2:

Bind its local address to localhost, in the MySQL configuration file:

bind-address            = 127.0.0.1

(or only use unix sockets).

Note that users tunnelling through SSH will be treated as coming from localhost too: don't give out SSH accounts in this case.

Solution 3:

If your server is behind NAT ( i.e it has "local" address(es) only but it still receives traffic directly from the internet ) but you have more than one machine on this network ( so binding to 127.0.0.1 is not an option ) then blocking all but local traffic using your firewall will be the way to go.

In iptables, you can accomplish this using these commands as root:

iptables -I INPUT --dport 3306 -j DROP
iptables -I INPUT -s 192.168.0.0/24 --dport 3306 -j ACCEPT

Note that this puts the DROP rule in as the first rule and then puts the ACCEPT rule in before that. There is probably a much better way of doing this using whatever method you use to save your firewall rules. ( Probably iptables-save and iptables-restore.)

Related

Why Wireshark does not recognize this HTTP response?
Removing messages from a postfix queue based on message body content
What does "non-IP" originated traffic mean in a TOS?
understanding vlan
Can disk space be the reason for a server crash?
Clients didn't switch to secondary DNS server during fail over
Internal LTO tape drive becomes hot
websockets , loadbalancers and 64k ports
Vagrant / puppet workflow
Sendmail doesn't work with iptables, even though smtp and dns are allowed
Is it possible to clear the Pager field in AD users & computer using a command?
Free/Cheap Exchange backup option?