How to secure server when port 3306 is open (Remote Database)

O

outdoor

Verified User
Joined
Dec 30, 2020
Messages
16
Hello,

I opened port 3306 on my server for a remote database connection.
Is there any additional step that we can secure the server more when the port is open?


I can see that some big players like Frantech have this port opened: https://ping.eu/port-chk/
prnt.sc

Screenshot

Captured with Lightshot
prnt.sc prnt.sc


Regards
 
I wouldn't even consider opening it. But if it must be, yes there are some additional steps one can take.
You can for example limit which ip's are allowed to access the port in the firewall.

Also in Mysql/Mariadb itself you can decide which users/ip's are allowed to make a remove connection.

Here (click) you can see some examples with ufw and mysql.
 
If the developer working at localhost, what will be the best solution to connect to the database and VPN tunnel? Do you have some tutorials for it?


Can we set this IP and user limits in the firewall via Direct Admin CSF app? Are there any good examples for beginners?



Off topic: Is there an alternative for cloudlinux users side php.ini values editor?

Regards
 
Sorry, I don't have any VPN tunnel tutorials.

Yes you can set ip in the firewall using the CSF firewall plugin in Directadmin. Check the "temporary allow/deny" options in the GUI and then you don't even need to open port 3306 in the firewall.

Alternatively (same option) you can also use the csf.allow file which you can change via SSH.
For example if your dev has ip 212.203.144.232 you can add it like this in the csf.allow file:
tcp|in|d=3306|s=212.203.144.232
which will allow that ip to bypass the closed port 3306 (so allowing access).
 
It is working perfectly. This will work as long the user has a static Ip. There is no solution for dynamic IP?
Thanks a lot.


It will be nice to have all these things in documentation, something like (best practices for security).
 
boka003 said:
It will be nice to have all these things in documentation, something like (best practices for security).
Click to expand...
CSF is not from DA, it's just a plugin. Docs are in the readme of csf and the csf files.
There is a csf.dyndns file, check it out. ;)
 
You must log in or register to reply here.
Back
Top