View Single Post
  #5   (View Single Post)  
Old 6th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

On a webserver you should not allow mysql to LISTEN on an publicly accessible IP address. On a FreeBSD webserver in the pf pflog file, I see a lot of connection attempts like this:

Code:
2013-01-04 03:31:40.702524 IP 113.12.81.228.6000 > xx.xxx.xxx.45.3306: S 1322188800:1322188800(0) win 16384
2013-01-04 03:31:40.713148 IP 113.12.81.228.6000 > xx.xxx.xxx.41.3306: S 1497366528:1497366528(0) win 16384
2013-01-04 03:31:40.713446 IP 113.12.81.228.6000 > xx.xxx.xxx.43.3306: S 1451098112:1451098112(0) win 16384
2013-01-04 03:31:40.714230 IP 113.12.81.228.6000 > xx.xxx.xxx.35.3306: S 1948647424:1948647424(0) win 16384
2013-01-04 03:31:40.714538 IP 113.12.81.228.6000 > xx.xxx.xxx.44.3306: S 426704896:426704896(0) win 16384
2013-01-04 03:31:40.720639 IP 113.12.81.228.6000 > xx.xxx.xxx.37.3306: S 941686784:941686784(0) win 16384
2013-01-04 03:31:40.722979 IP 113.12.81.228.6000 > xx.xxx.xxx.34.3306: S 1111621632:1111621632(0) win 16384
2013-01-04 03:31:40.724846 IP 113.12.81.228.6000 > xx.xxx.xxx.40.3306: S 762511360:762511360(0) win 16384
2013-01-04 03:31:40.725780 IP 113.12.81.228.6000 > xx.xxx.xxx.38.3306: S 194183168:194183168(0) win 16384
2013-01-04 03:31:40.727344 IP 113.12.81.228.6000 > xx.xxx.xxx.42.3306: S 847904768:847904768(0) win 16384
2013-01-04 03:31:40.728747 IP 113.12.81.228.6000 > xx.xxx.xxx.39.3306: S 162725888:162725888(0) win 16384
You can do this in the my.cnf file by uncommenting the "skip-networking" directive:
Code:
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
# 
#skip-networking
An alternative is to only allow the 127.0.0.1 loopback address by using something like this in your /etc/rc.conf.local:
Code:
mysqld_flags="--bind-address=127.0.0.1"
A netstat now will only show mysqld on loopback instead of *.3306

Code:
 netstat -an -f inet -p tcp 
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  192.168.222.20.14527   178.33.235.5.80        ESTABLISHED
tcp          0      0  192.168.222.20.36847   80.255.10.121.80       TIME_WAIT
tcp          0      0  127.0.0.1.3306         *.*                    LISTEN
tcp          0      0  192.168.222.20.47431   174.133.121.34.1022    ESTABLISHED
tcp          0      0  *.6000                 *.*                    LISTEN
tcp          0      0  127.0.0.1.587          *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.515                  *.*                    LISTEN
tcp          0      0  *.22                   *.*                    LISTEN
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote