TechSpace Knowledgebase
Search:     Advanced search
Browse by category:
Contact Us

MySQL Network Security Must Know

Views: 46
Votes: 0
Posted: 20 Oct, 2018
by: Liaw E.
Updated: 21 Oct, 2018
by: Liaw E.

MySQL comes with plenty of network security tools. Here are the essential ones:

  1. MySQL Bind-Address - how/from where MySQL listens for connections
  2. MySQL User security - who can connect, from where
  3. Firewall - not MySQL directly, what network traffic the server allows in/out

MySQL Bind Address

The bind-address configuration within MySQL tells MySQL on which networks it can listen for connections.

Note that MySQL is usually configured to accept connections from a local socket file (a unix socket). The hostname "localhost" usually implies it's using the unix socket. Unix sockets are faux-files, so they are only accessible from within the local server.

The bind-address setting tells MySQL whether it can listen on a TCP socket for new connections. We have three basic ways to configure bind-address:

  • MySQL can bind to no networks (connect over localhost only, e.g. a unix socket)
  • MySQL can bind to all networks (0.0.0.0)
  • MySQL can bind to a specific network, e.g. a public network that the whole internet can reach, or a private network that can only be reached from within a data center

The default configuration for bind-address is to listen on all networks! If bind-address is commented out or not defined, then it's inherently an insecure setting.

The more restrictive we can be, the better. If our application is on the same server as the database, we can close mysql from binding to any network (choosing instead to listening only on the local unix socket). More common is to also bind to the loopback network address 127.0.0.1 so both localhost (unix socket) and 127.0.0.1 (tcp socket) connections work, but nothing else.

Such a setup looks like this:

[mysqld]
# Unix socket settings (making localhost work)
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock

# TCP Socket settings (making 127.0.0.1 work)
port            = 3306
bind-address    = 127.0.0.1

MySQL User Security

In addition to setting what networks MySQL listens on, we can set where users are allowed to connect from. This means we can say "user my_app_user can only connect to MySQL from the server whose address is 192.168.33.10".

Let's see how that looks in MySQL.

What users exist

Run the following to see what users exist on the MySQL server:

mysql> SELECT User, Host from mysql.user;
+-----------+--------------------+
| User      | Host 
+-----------+--------------------+
| root      | 127.0.0.1       
| root      | ::1            
| mysql.sys | localhost      
| root      | localhost      
+-----------+--------------------+
4 rows in set (0.00 sec)

We can see that we have three root users and one system user.

  • root@127.0.0.1 - Can connect using the loopback ipv4 network 127.0.0.1
  • root@::1 - Can connect using the loopback ipv6 network ::1
  • root@localhost - Can connect using the unix socket

Note that localhost in MySQL will mean connecting over the Unix socket, even if the hostname localhost resolves to IP address 127.0.0.1.

Application Users

We need to make MySQL users for our applications to use.

Let's pretend that our MySQL server is in a single region with networks:

  • Public Ipv4: 159.203.81.145
  • Private Ipv4: 10.132.30.23

And an application server in the same data center with networks:

  • Public Ipv4: 104.131.100.163
  • Private Ipv4: 10.132.51.34

Since these two servers are within the same private network (10.132.*.*), they can communicate to each other. Let's set the application server to be able to connect to the MySQL server.

We have a few tools we can use:

  • Hostnames (example.com)
  • Explicit IP addresses (192.168.10.10)
  • Wildcards (192.168.10.%)
  • Netmasks

Courtesy: https://serversforhackers.com/c/mysql-network-security

Others in this Category
document How to Create a Database in MySQL



RSS