securing MySQL: easiest/best ways?

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue May 8 14:34:14 UTC 2012 

On 08/05/2012 14:49, Paul Beard wrote:
> Monkeying with IPv6, I discovered that globally routable addresses
> are what it says on the tin, so hiding behind a network appliance is
> not longer viable for me. An nmap scan showed the port 3306 was
> hanging out for all to see but  I couldn't figure out how to close it
> off. The "--skip-networking" argument seems not to work, either in
> my.cnf or as an rc argument. The server just fails to start. (For
> some reason the socket is hard-coded to live in /tmp, regardless of
> what's in my.cnf but I gave up bothering about that.)
> 
> What I ended up doing was adding
> 
> mysql_args="--bind-address=127.0.0.1"
> 
> to /etc/rc.conf. This seems to work as netstat and sockstat no longer
> show port 3306 listening and database connections are happening.
> 
> Is this the preferred/best way?

You have been restarting mysql to test changes to my.cnf?  You have to
do a full restart to get mysql to re-read the config file.  If you need
to reconfigure without interrupting service, you can set most parameters
at runtime using mysql(1).

Sounds almost as if the my.cnf you've been editing is not the my.cnf
that your mysql instance is using.  IIRC there was some talk about
moving from the usual BSD-ish /var/db/mysql/my.cnf to
/usr/local/etc/my.cnf (no doubt under some insidious influence from Linux.)

skip-networking certainly should leave you with just the unix domain
socket.  Alternatively you can bind mysql's network socket to a specific
interface -- so if you bind it to the loopback, it should make it
inaccessible from the network.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120508/89b3fbe4/signature.pgp

More information about the freebsd-questions mailing list