Get Started
Updated on June 14, 2024

How to restrict MySQL port access

Estimated reading: 3 minutes 262 views

On some Linux distributions, port 3306 is open after you install MySQL. This article describes two methods for restricting or blocking access to port 3306 on an unmanaged server.

The information in this article only applies to unmanaged products. You must have root access to the server to follow the procedures described below.

Method #1: Disable MySQL networking

If you do not need to access MySQL from an external computer, you can disable MySQL networking.

Follow the appropriate procedure below for your Linux distribution.

Even with MySQL networking disabled, you can still access MySQL securely from a remote computer if you need to. To do this, you can configure an SSH tunnel. For information about how to do this, please see this article.

CentOS and Fedora

To disable MySQL networking on CentOS and Fedora, follow these steps:

  1. Log in to your server using SSH.
  2. At the command prompt, use your preferred text editor to open the /etc/my.cnf file.
  3. Locate the following line in the my.cnf file:#skip-networkingIf this line is not in the my.cnf file, add it.
  4. Delete the # sign at the beginning of the line so the line looks like the following:
    skip-networking
  5. Save your changes to the /etc/my.cnf file, and then exit the text editor.
  6. Type the following command to restart the MySQL service:
    Copyservice mysqld restartPort 3306 is now closed on the server.
Debian and Ubuntu

By default, MySQL on Debian and Ubuntu is configured to only use the localhost interface (IP address 127.0.0.1) for networking. This means that port 3306 is closed to external connections. To confirm that this is the configuration on your server, follow these steps:

  1. Log in to your server using SSH.
  2. At the command prompt, use your preferred text editor to open the /etc/mysql/my.cnf file.
  3. Locate the MySQL bind-address line in the my.cnf file. It should look like the following:bind-address = 127.0.0.1If the MySQLbind-address line is set to 0.0.0.0 (or no address at all), then connections are open on all interfaces.
  4. If you made any changes to the /etc/my.cnf file, save them and then exit the text editor.
  5. To restart the MySQL service, type the following command:
    Copyservice mysql restartPort 3306 is now closed on the server.

Method #2: Configure firewall rules

You can use iptables to create firewall rules that restrict access to port 3306. The advantage of this method is that you can selectively grant or deny access to port 3306 based on IP addresses or other criteria.

For example, to block external access to port 3306 completely, type the following command:

Copyiptables -A INPUT -p tcp --dport 3306 -j DROP

Similarly, to grant access to a specific IP address and block all others, type the following commands. Replace xxx.xxx.xxx.xxx with the IP address for which you want to grant access:

Copyiptables -A INPUT -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

You can grant MySQL access to additional IP addresses by inserting rules in the INPUT chain before the DROP rule. For example:

Copyiptables -I INPUT 1 -p tcp --dport 3306 -s xxx.xxx.xxx.xxx -j ACCEPT

How to install the EPEL repository on CentOS

Share this Doc

How to restrict MySQL port access

Or copy link

CONTENTS