MySQL: Is it a security risk to deactivate the setting "bind-address"?
The impact of commenting out the setting depends on the value bind-address
was set to before.
Commenting out a setting is the same as setting it to the default value. The manual will show you the default value: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_bind-address
bind-address
Default Value:*
The manual also explains what that setting means and how it differs from using 0.0.0.0 :
If the address is
*
, the server accepts TCP/IP connections on all server host IPv4 interfaces, and, if the server host supports IPv6, on all IPv6 interfaces. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default. If the option specifies a list of multiple values, this value is not permitted.If the address is
0.0.0.0
, the server accepts TCP/IP connections on all server host IPv4 interfaces. If the option specifies a list of multiple values, this value is not permitted.
If your server is not secured with a firewall that restricts access to TCP port 3306 (the default port for MySQL) then using either * or 0.0.0.0 will accept incoming connections on all IPv4 addresses the server is configured with, as well as TCP connections on the loopback address 127.0.0.1/8 and * will additionally allow all incoming IPv6 traffic.
In general it is considered good security practice to only configure the minimum network access for services.
Both * and 0.0.0.0 are probably overly permissive in many situations, but for instance on a system that should allow remote MySQL access with a single interface/ip-address (i.e. 192.0.2.1) there would be no effective security difference between bind-address = 192.0.2.1
or bind-address = 0.0.0.0
or bind-address = *
On servers that don't need to allow remote MySQL access (the typical LAMP server) bind-address = ::ffff:127.0.0.1
would be recommended.
Talking about security, exposing your data to the world is never a nice choice.
Talking about how to avoid what you did, if your MySQL running on Linux and you have SSH access you can configure a tunnel and no need to expose MySQL to the world.
Here an example:
ssh -v -N -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 \
-i ~/.ssh/yourkey.pem -o TCPKeepAlive=no -o ServerAliveInterval=60 \
-o ServerAliveCountMax=1 \
[email protected] -L 3306:127.0.0.1:3306
In this way, you connect your GUI, or whatever APP you need to connect, to IP 127.0.0.1 port 3306 and it's done.
If you don't want to use the command line, you can set up most of the GUI to connect your MySQL through SSH tunnel
Last, if you commenting out bind-address=0.0.0.0
let your mysql listen connections through all IP addresses, not only on localhost
(127.0.0.1)