Is it safe to open port 3306 in Firewall for external MySQL Connection
Solution 1
Generally restricting MySQL access to an ip address is a good idea. There can be some security concerns but a good firewall should mitigate some of them. They would have to create an additional MySQL user for you since MySQL does not allow multiple hosts (unless there's a wildcard) per user. You could request multiple users, one for each host that you are connecting from or even do partial hosts (eg. %.google.com).
An alternative solution is to create a ssh tunnel from your machine so that you can connect locally.
Here's a good article on how you can create a ssh tunnel with MySQL.
http://www.howtogeek.com/howto/ubuntu/access-your-mysql-server-remotely-over-ssh/
Solution 2
DO NOT open 3306.
Instead, do what every other server does: Open port 22 for secure ssh connection, then once logged on, connect locally to mysql.
Solution 3
The secure approach is to close the port but if your server is a shared server with other clients using the same server, the ISP may not be willing to close the port. I have this exact issue with MySQL on my ISP. In my case, they've told me that "this does not represent a security risk for your account, because despite the fact that these ports are open, no one can connect with your credentials (unless they are stolen) while remote MySQL connections are turned off."
So if you have hard, secure passwords and remote connections off from the control panels and the server privileges are locked down, you're somewhat "safe" but not 100% "secure".
If the application is mission critical or contains sensitive data, I would move to a dedicated server if needed and absolutely close the port.
Related videos on Youtube
06 : 16
07 : 15
02 : 32
02 : 35
03 : 22
Ben
Updated on September 18, 2022Comments
-
Ben over 1 year
I want to connect to a MySQL DB that is hosted with an ISP using something like TOAD, Navicat or HeidiSQL. I was told by the ISP that MySQL is listening on port 3306 but the hardware firewall is not allowing outside connections to access (only localhost). I have the option of giving them IPs to add to the firewall, but that's not ideal b/c I work from home or on the road mostly so my IP is always changing. If I open this up am I asking for trouble? Are there any measures besides adding my IP to an IP table that I could do to mitigate the risks?
-
zerkms almost 13 yearsIt is always a bad idea to allow direct connections to your database.
-
-
Ben almost 13 yearsThanks. I've been able to SSH to the box su to root the # mysql -u root to get to the mysql cli. I assume that means I've got everythign in place to tunnel, right? Have never set it up that way, but I guess I'll learn :-) Thanks
-
Bill Karwin almost 13 years+1 Yep, MySQL supports SSL itself, but it's confusing to use. It's easier to use an ssh tunnel with port-forwarding. -
Ben almost 13 yearsThanks. I ended up using the SSH tunnel and it works well. No need to worry about IP tables or anything. Appreciate the help.
