MySQL comes with plenty of network security tools. Here are the essential ones:
- MySQL Bind-Address - how/from where MySQL listens for connections
- MySQL User security - who can connect, from where
- Firewall - not MySQL directly, what network traffic the server allows in/out
MySQL Bind Address
bind-address configuration within MySQL tells MySQL on which networks it can listen for connections.
Note that MySQL is usually configured to accept connections from a local socket file (a unix socket). The hostname "localhost" usually implies it's using the unix socket. Unix sockets are faux-files, so they are only accessible from within the local server.
bind-address setting tells MySQL whether it can listen on a TCP socket for new connections. We have three basic ways to configure
- MySQL can bind to no networks (connect over
localhost only, e.g. a unix socket)
- MySQL can bind to all networks (
- MySQL can bind to a specific network, e.g. a public network that the whole internet can reach, or a private network that can only be reached from within a data center
The default configuration for
bind-address is to listen on all networks! If
bind-address is commented out or not defined, then it's inherently an insecure setting.
The more restrictive we can be, the better. If our application is on the same server as the database, we can close mysql from binding to any network (choosing instead to listening only on the local unix socket). More common is to also bind to the loopback network address
127.0.0.1 so both
localhost (unix socket) and
127.0.0.1 (tcp socket) connections work, but nothing else.
Such a setup looks like this:
# Unix socket settings (making localhost work)
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
# TCP Socket settings (making 127.0.0.1 work)
port = 3306
bind-address = 127.0.0.1
MySQL User Security
In addition to setting what networks MySQL listens on, we can set where users are allowed to connect from. This means we can say "user
my_app_user can only connect to MySQL from the server whose address is
Let's see how that looks in MySQL.
What users exist
Run the following to see what users exist on the MySQL server:
mysql> SELECT User, Host from mysql.user;
| User | Host
| root | 127.0.0.1
| root | ::1
| mysql.sys | localhost
| root | localhost
4 rows in set (0.00 sec)
We can see that we have three
root users and one system user.
email@example.com - Can connect using the loopback ipv4 network
root@::1 - Can connect using the loopback ipv6 network
root@localhost - Can connect using the unix socket
localhost in MySQL will mean connecting over the Unix socket, even if the hostname
localhost resolves to IP address
We need to make MySQL users for our applications to use.
Let's pretend that our MySQL server is in a single region with networks:
- Public Ipv4: 220.127.116.11
- Private Ipv4: 10.132.30.23
And an application server in the same data center with networks:
- Public Ipv4: 18.104.22.168
- Private Ipv4: 10.132.51.34
Since these two servers are within the same private network (
10.132.*.*), they can communicate to each other. Let's set the application server to be able to connect to the MySQL server.
We have a few tools we can use:
- Hostnames (
- Explicit IP addresses (
- Wildcards (