LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-09-2003, 02:34 PM   #1
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Rep: Reputation: 30
mysql 3306 security


Is there any way to tell the mysql server to only accept connections from certain IP's. Simular to the directory directive in apache
 
Old 12-09-2003, 02:47 PM   #2
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Kinda.....The only way that comes to mind is to use the built in user authorization system to do it. What you'd do is set up a user account for remote connections and limit all other users to localhost. You can specify any user's host in the "host" field of the "user" table in the "mysql" database. You can use a hardcoded single IP or you can also use wildcards such as % to allow connections from certain domains, IP subnets, and etc.
 
Old 12-09-2003, 02:56 PM   #3
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Original Poster
Rep: Reputation: 30
yea, mainly im concerned about script kiddes and the different worms out there exploiting mysql. Slammer is the big one that comes to mind.

Regardless of how you set up users, i think as long as the daemon is listening on 3306, it would be attacked.

thanks for your help.

guess a firewall is the next step in the process.
 
Old 12-09-2003, 03:07 PM   #4
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Yeah, personally, I think it best not too allow remote connections to mysql at all. Instead I usually op for building tools via PHP and/or Perl that can do whatever needs doing locally through a webserver and etc. Then everything that interacts with mysql is server side and you don't have to worry as much about stuff like that. Course you still can't control everything.. Anyway, you stop mysql from listening on anything except localhost by enabling a directive in the my.cnf. Here's the directive as stated in my.cnf:
Quote:
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
#
skip-networking
 
Old 12-09-2003, 03:18 PM   #5
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Original Poster
Rep: Reputation: 30
Hey thats awesome, exactly what i needed. I agree, I like having php/perl do the work with the database locally (Server side) and dont do anything remotly on 3306.

A few questoins:

1. What are the my-large, my-huge, my-medium and my-small icons in the root folder.

2. whats the difference between the following servers:
Directory of C:\mysql\bin

10/20/2003 08:43 PM 2,580,480 mysqld-max-nt.exe
10/20/2003 08:43 PM 2,580,480 mysqld-max.exe
10/20/2003 08:43 PM 2,248,704 mysqld-nt.exe
10/20/2003 08:43 PM 2,248,704 mysqld-opt.exe
10/20/2003 08:43 PM 3,649,601 mysqld.exe

3. This is my config file, located in c:\windows

[WinMySQLAdmin]
Server=C:/mysql/bin/mysqld-nt.exe
enable-named-pipe
skip-networking


When i restart the service, it loads the file ok it seems, but the service is still listening on 3306.

Thanks,
Cheers

Last edited by sopiaz57; 12-09-2003 at 03:34 PM.
 
Old 12-09-2003, 08:42 PM   #6
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Hmm, never really messed with it much on Windows, so I'm not certain what the difference in the exe's are. Might check the lengthy mysql doc for that. Best I remember the small, medium, huge stuff has to do with the settings of the config file only, depending on how big your database is, but don't quote me on that..
 
Old 12-09-2003, 08:51 PM   #7
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Here ya go:
Code:
mysqld 	 Compiled with full debugging and automatic memory allocation checking, symbolic links, InnoDB, and BDB tables.
mysqld-opt 	Optimised binary with no support for transactional tables in version 3.23. For version 4.0, InnoDB is enabled.
mysqld-nt 	Optimised binary for NT/2000/XP with support for named pipes.
mysqld-max 	Optimised binary with support for symbolic links, InnoDB and BDB tables.
mysqld-max-nt 	Like mysqld-max, but compiled with support for named pipes.
So it's just a difference of options compiled into the binary. And yeah, the difference in the config files is just a difference in options there as well for different needs based on your needs.
Quote:
Currently there are sample configuration files for small, medium, large, and very large systems. You can copy `my-xxxx.cnf' to your home directory (rename the copy to `.my.cnf') to experiment with this.
 
Old 03-07-2004, 11:56 AM   #8
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
I've written a tutorial setting up mysql incl. chroot (and details how to chroot it). This tutorial has been published at my website. You can go directly tutorial.

So if you require more information and a additional layer of security (chroot), you can take a look there. Most MySQL installations by distributions are by default not chrooted.
 
Old 03-07-2004, 05:32 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally posted by sopiaz57
yea, mainly im concerned about script kiddes and the different worms out there exploiting mysql. Slammer is the big one that comes to mind.

Regardless of how you set up users, i think as long as the daemon is listening on 3306, it would be attacked.
Incorrect, SQL Slammer only affected MS SQL Server, any other SQL compliant databases were not affected (Oracle, MySQL, mSQL, PostgreSQL, etc).

A good example of a remote MySQL vulnerability (although it was a configuration error, not really a vulnerability in MySQL itself) can be found here. That one could easily be scripted into a worm, but I doubt there are enough hosts with that vulnerability to make it worthwhile.

Quote:
guess a firewall is the next step in the process.
A firewall in front of a database highly recommended. However, the presence of a firewall should not discourage you from hardening the database itself (for instance, setting it to not listen on TCP ports).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MySQL not listening on port 3306 mr_sarge Linux - Newbie 14 12-03-2013 05:17 AM
How do I allow mysql connections over network (netstat -an | grep 3306 produces nil)? jdruin Linux - Software 6 04-03-2013 11:35 AM
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 7 09-21-2005 11:10 AM
mysql port 3306 bulliver Linux - Security 4 04-17-2003 09:00 PM
MySQL Security RecoilUK Linux - Security 2 08-27-2001 10:32 PM


All times are GMT -5. The time now is 09:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration