On a webserver you should not allow mysql to LISTEN on an publicly accessible IP address. On a FreeBSD webserver in the pf pflog file, I see a lot of connection attempts like this:
Code:
2013-01-04 03:31:40.702524 IP 113.12.81.228.6000 > xx.xxx.xxx.45.3306: S 1322188800:1322188800(0) win 16384
2013-01-04 03:31:40.713148 IP 113.12.81.228.6000 > xx.xxx.xxx.41.3306: S 1497366528:1497366528(0) win 16384
2013-01-04 03:31:40.713446 IP 113.12.81.228.6000 > xx.xxx.xxx.43.3306: S 1451098112:1451098112(0) win 16384
2013-01-04 03:31:40.714230 IP 113.12.81.228.6000 > xx.xxx.xxx.35.3306: S 1948647424:1948647424(0) win 16384
2013-01-04 03:31:40.714538 IP 113.12.81.228.6000 > xx.xxx.xxx.44.3306: S 426704896:426704896(0) win 16384
2013-01-04 03:31:40.720639 IP 113.12.81.228.6000 > xx.xxx.xxx.37.3306: S 941686784:941686784(0) win 16384
2013-01-04 03:31:40.722979 IP 113.12.81.228.6000 > xx.xxx.xxx.34.3306: S 1111621632:1111621632(0) win 16384
2013-01-04 03:31:40.724846 IP 113.12.81.228.6000 > xx.xxx.xxx.40.3306: S 762511360:762511360(0) win 16384
2013-01-04 03:31:40.725780 IP 113.12.81.228.6000 > xx.xxx.xxx.38.3306: S 194183168:194183168(0) win 16384
2013-01-04 03:31:40.727344 IP 113.12.81.228.6000 > xx.xxx.xxx.42.3306: S 847904768:847904768(0) win 16384
2013-01-04 03:31:40.728747 IP 113.12.81.228.6000 > xx.xxx.xxx.39.3306: S 162725888:162725888(0) win 16384
You can do this in the
my.cnf file by uncommenting the "skip-networking" directive:
Code:
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
An alternative is to only allow the 127.0.0.1 loopback address by using something like this in your
/etc/rc.conf.local:
Code:
mysqld_flags="--bind-address=127.0.0.1"
A netstat now will only show mysqld on loopback instead of
*.3306
Code:
netstat -an -f inet -p tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 192.168.222.20.14527 178.33.235.5.80 ESTABLISHED
tcp 0 0 192.168.222.20.36847 80.255.10.121.80 TIME_WAIT
tcp 0 0 127.0.0.1.3306 *.* LISTEN
tcp 0 0 192.168.222.20.47431 174.133.121.34.1022 ESTABLISHED
tcp 0 0 *.6000 *.* LISTEN
tcp 0 0 127.0.0.1.587 *.* LISTEN
tcp 0 0 127.0.0.1.25 *.* LISTEN
tcp 0 0 *.515 *.* LISTEN
tcp 0 0 *.22 *.* LISTEN