Limiting MySQL Database to Local Access

A

ak17_hk

Verified User
Joined
Nov 7, 2006
Messages
68
Hi Guys! If I just want the domain users on my server to be able to connect to their MySQL database locally but not remotely (to prevent excessive usage with mutliple servers not hosted by us), what will be the setting be?

Do I simply disable port 3306 access? If so, how can I do that with iptables? Thanks! :)

Anthony.
 
yes keep 3306 blocked (ingress only).

Also since all the users that you create from DA panel are only allowed to connect from localhost which means only the scripts would be able to talk to the DB. There is an option to allow remote hosts to connect as well to a particular DB, but having inbound traffic blocked on port 3306 would block it.

use APF(or any other) to block ports, its easy to configure and saves you from the hassle of udnerstanding iptables completely.
 
rohit said:
yes keep 3306 blocked (ingress only).

Also since all the users that you create from DA panel are only allowed to connect from localhost which means only the scripts would be able to talk to the DB. There is an option to allow remote hosts to connect as well to a particular DB, but having inbound traffic blocked on port 3306 would block it.

use APF(or any other) to block ports, its easy to configure and saves you from the hassle of udnerstanding iptables completely.
Click to expand...


Thanks Rohit for the tips! ;)

So, how can I make sure that my iptables is not running before I move to APF? Or I don't even have to bother whether iptables is running or not?

What's the simplest way to block port 3306? Thanks. :)

Anthony.
 
To block 3306 using apf, just remove it from your conf.apf under IG_TCP ports area. Not sure how to do that using plain IPTables, I haven't had to do much with IPTables before.

Another way to block MySQL access from outside is to tell MySQL to listen on only 127.0.0.1 so that only people using the loopback interface can reach it. It wont even be accepting any connections from the outside world though you should still block the port, this is just another layer of prevention you can add on in the event your firewall is accidently turned off or if something happens. To do this just go
Code: 
vi /etc/my.cnf
**Insert This Into The [mysqld] Section**
bind-address            = 127.0.0.1
**Or Create The Section If This Is A New File**
[mysqld]
bind-address            = 127.0.0.1
then restart MySQL and do a netstat to make sure it is listening on only the loopback IP.
 
You must log in or register to reply here.
Back
Top