Securing MySQL Networking
The simplest method is to add the following to my.cnf:
skip-networking
Which disables network access completely. This is often fine if you can do everything you need over a unix socket.
If not you’ll want to ensure that only certain machines can make a connection. The quick and easy way is to add the following to my.cnf:
bind-address=127.0.0.1
But you can only add one address, which isn’t always what you want.
Using iptables gives much more flexibility. This example is for Red Hat, other distros will be very similar but your /etc/sysconfig/iptables location might be different. I used this iptables how-to at Ubuntu to figure out the basics.
# accept local connections to port 3306
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
# add any other IP addresses we want to give access
iptables -A INPUT -p tcp --dport 3306 -s $MONITORING_SYSTEM_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -s $ADMIN_IP -j ACCEPT
# reject anything else
iptables -A INPUT -p tcp --dport 3306 -j REJECT
# save these rules so we don’t lose the changes on restart
iptables-save > /etc/sysconfig/iptables
Update 20110427:
Using a plain REJECT doesn’t hide the existence of the service completely as iptables issues an ICMP Port Unreachable response. A better solution is to REJECT using the iptables —reject-with tcp-reset option which issues a TCP RST - the same response that a connection attempt to an unused port would receive.
# accept local connections to port 3306
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
# add any other IP addresses we want to give access
iptables -A INPUT -p tcp --dport 3306 -s $MONITORING_SYSTEM_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -s $ADMIN_IP -j ACCEPT
# reject anything else
iptables -A INPUT -p tcp --dport 3306 -j REJECT --reject-with tcp-reset
# save these rules so we don’t lose the changes on restart
iptables-save > /etc/sysconfig/iptables
