Is there any way to tell the mysql server to only accept connections from certain IP's. Simular to the directory directive in apache

Kinda.....The only way that comes to mind is to use the built in user authorization system to do it. What you'd do is set up a user account for remote connections and limit all other users to localhost. You can specify any user's host in the "host" field of the "user" table in the "mysql" database. You can use a hardcoded single IP or you can also use wildcards such as % to allow connections from certain domains, IP subnets, and etc.

yea, mainly im concerned about script kiddes and the different worms out there exploiting mysql. Slammer is the big one that comes to mind.

Regardless of how you set up users, i think as long as the daemon is listening on 3306, it would be attacked.

thanks for your help.

guess a firewall is the next step in the process.

Yeah, personally, I think it best not too allow remote connections to mysql at all. Instead I usually op for building tools via PHP and/or Perl that can do whatever needs doing locally through a webserver and etc. Then everything that interacts with mysql is server side and you don't have to worry as much about stuff like that. Course you still can't control everything.. Anyway, you stop mysql from listening on anything except localhost by enabling a directive in the my.cnf. Here's the directive as stated in my.cnf:

Hey thats awesome, exactly what i needed. I agree, I like having php/perl do the work with the database locally (Server side) and dont do anything remotly on 3306.

A few questoins:

1. What are the my-large, my-huge, my-medium and my-small icons in the root folder.

2. whats the difference between the following servers:
Directory of C:\mysql\bin

10/20/2003 08:43 PM 2,580,480 mysqld-max-nt.exe
10/20/2003 08:43 PM 2,580,480 mysqld-max.exe
10/20/2003 08:43 PM 2,248,704 mysqld-nt.exe
10/20/2003 08:43 PM 2,248,704 mysqld-opt.exe
10/20/2003 08:43 PM 3,649,601 mysqld.exe

3. This is my config file, located in c:\windows

[WinMySQLAdmin]
Server=C:/mysql/bin/mysqld-nt.exe
enable-named-pipe
skip-networking


When i restart the service, it loads the file ok it seems, but the service is still listening on 3306.

Thanks,
Cheers

Hmm, never really messed with it much on Windows, so I'm not certain what the difference in the exe's are. Might check the lengthy mysql doc for that. Best I remember the small, medium, huge stuff has to do with the settings of the config file only, depending on how big your database is, but don't quote me on that..

Here ya go:
So it's just a difference of options compiled into the binary. And yeah, the difference in the config files is just a difference in options there as well for different needs based on your needs.

I've written a tutorial setting up mysql incl. chroot (and details how to chroot it). This tutorial has been published at my website. You can go directly tutorial.

So if you require more information and a additional layer of security (chroot), you can take a look there. Most MySQL installations by distributions are by default not chrooted.

Incorrect, SQL Slammer only affected MS SQL Server, any other SQL compliant databases were not affected (Oracle, MySQL, mSQL, PostgreSQL, etc).

A good example of a remote MySQL vulnerability (although it was a configuration error, not really a vulnerability in MySQL itself) can be found here. That one could easily be scripted into a worm, but I doubt there are enough hosts with that vulnerability to make it worthwhile.

A firewall in front of a database highly recommended. However, the presence of a firewall should not discourage you from hardening the database itself (for instance, setting it to not listen on TCP ports).