How do I prevent remote acces to MySQL?
Solution 1:
As @Bruno answered, edit my.cnf and set the bind address.
The other way is to set access control at MySQL user level. The Grant syntax shows this. Users accounts can be set to accessible from a particular network IP ( like 127.0.0.1 or localhost or %.%.%.% )
Solution 2:
Bind its local address to localhost, in the MySQL configuration file:
bind-address = 127.0.0.1
(or only use unix sockets).
Note that users tunnelling through SSH will be treated as coming from localhost
too: don't give out SSH accounts in this case.
Solution 3:
If your server is behind NAT ( i.e it has "local" address(es) only but it still receives traffic directly from the internet ) but you have more than one machine on this network ( so binding to 127.0.0.1 is not an option ) then blocking all but local traffic using your firewall will be the way to go.
In iptables, you can accomplish this using these commands as root:
iptables -I INPUT --dport 3306 -j DROP
iptables -I INPUT -s 192.168.0.0/24 --dport 3306 -j ACCEPT
Note that this puts the DROP rule in as the first rule and then puts the ACCEPT rule in before that. There is probably a much better way of doing this using whatever method you use to save your firewall rules. ( Probably iptables-save
and iptables-restore
.)