Knowledge Base

Home » Knowledge Base » Developer Corner » MySQL » Here

How to restrict MySQL port access

On some Linux distributions, port 3306 is open after you install MySQL. This article describes two methods for restricting or blocking access to port 3306 on a semi-managed server.

The information in this article only applies to semi-managed products. You must have root access to the server to follow the procedures described below.

Method #1: Disable MySQL networking

If you do not need to access MySQL from an external computer, you can disable MySQL networking.

Follow the appropriate procedure below for your Linux distribution.

Even with MySQL networking disabled, you can still access MySQL securely from a remote computer if you need to. To do this, you can configure an SSH tunnel. For information about how to do this, please see this article.
CentOS and Fedora

To disable MySQL networking on CentOS and Fedora, follow these steps:

  1. Log in to your server using SSH.
  2. At the command prompt, use your preferred text editor to open the /etc/my.cnf file.
  3. Locate the following line in the my.cnf file: 
    #skip-networking

  4. Delete the # sign at the beginning of the line so the line looks like the following:

    skip-networking
  5. Save your changes to the /etc/my.cnf file, and then exit the text editor.

  6. Type the following command to restart the MySQL service:

    service mysqld restart

    Port 3306 is now closed on the server.

Debian and Ubuntu

By default, MySQL on Debian and Ubuntu is configured to only use the localhost interface (IP address 127.0.0.1) for networking. This means that port 3306 is closed to external connections. To confirm that this is the configuration on your server, follow these steps:

  1. Log in to your server using SSH.
  2. At the command prompt, use your preferred text editor to open the /etc/mysql/my.cnf file.
  3. Locate the bind-address line in the my.cnf file. It should look like the following: 
    bind-address = 127.0.0.1
    If the bind-address line is set to 0.0.0.0 (or no address at all), then connections are open on all interfaces.
  4. If you made any changes to the /etc/my.cnf file, save them and then exit the text editor.

  5. To restart the MySQL service, type the following command:

    service mysql restart

    Port 3306 is now closed on the server.

Method #2: Configure firewall rules

You can use iptables to create firewall rules that restrict access to port 3306. The advantage of this method is that you can selectively grant or deny access to port 3306 based on IP addresses or other criteria.

For example, to block external access to port 3306 completely, type the following command:

iptables -A INPUT -p tcp --dport 3306 -j DROP

Similarly, to grant access to a specific IP address and block all others, type the following commands. Replace xxx.xxx.xxx.xxx with the IP address for which you want to grant access:

iptables -A INPUT -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

You can grant MySQL access to additional IP addresses by inserting rules in the INPUT chain before the DROP rule. For example:

iptables -I INPUT 1 -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
  • Securing a semi-managed server

    On semi-managed hosting packages, you are responsible for server administration. One of the most important things to do is secure your server, and this article provides the information you need.

  • Configuring a firewall using iptables

    The iptables program enables you to set up a firewall and help secure your server. Please note that this article only applies to semi-managed hosting packages.

  • Reset MySQL root password

    If you have forgotten your root password for MySQL, this article shows you how to reset it. Note that you must have root access to your server to accomplish this.

HOSTING
FEATURES
SERVICES
SUPPORT
COMPANY