Security Advisor: close port 3306 in the servers firewall
I received the following message on Security Advisor panel in WHM:
The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server"s firewall.
So, the following prepared:
/etc/my.cnf edited by nano: skip-networking and mysql service restarted.
and the following command added:
# iptables -A INPUT -p tcp --dport 3306
Now the server restarted and the received the message same as above on Security Advisor.
Please, advice.
-
Hi @Lillike I'm a bit confused at what you did here why did you add skip-networking rather than configure the bind address. The iptables rule you've listed doesn't close 3306 there's no DROP in place. To block a port in iptables directly the rule should be something like: iptables -A INPUT -p tcp --dport 3306 -j DROP
-A = append one or more rules to the end of the chain INPUT = inbound connections -p = protocol in this instance it's tcp --dport = destination port - in this instance it's port 3306 -j = This specifies the target of the rule; i.e., what to do if the packet matches it. DROP is specified so the packet is dropped. Thanks!0 -
Hello Lauren, iptables -A INPUT -p tcp --dport 3306 -j DROP
The above command added. And the following message sent again by Sec. Adv.: The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server"s firewall. Please, advice.0 -
Hi @Lillike Can you confirm that you've restarted both services then show me the following: iptables -L -n |grep 3306
cat /etc/my.cnf0 -
The server had been restarted. root@ip-192-xxx [~]# iptables -L -n |grep 3306 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 root@ip-192-xxxx [~]# cat /etc/my.cnf [mysqld] innodb_file_per_table=1 max_allowed_packet=268435456 innodb_buffer_pool_size=134217728 open_files_limit=10000 default-storage-engine=MyISAM skip-networking 0 -
Hi @Lillike Just to confirm based on this you've added the iptables rule only and not anything to my.cnf. Can you provide the output of the following: nmap -sU -sT -p 3306
Thanks!0 -
nmap -sU -sT -p 3306
root@ip-192-xxx [~]# nmap -sU -sT <192.xxx> -p 3306 -bash: 192-xxx: No such file or directory0 -
Hi @Lillike Can you remove the < > and just put your IP address there. Those were only present to delineate where the IP should go. Thanks! 0 -
Hi @Lillike Can you remove the < > and just put your IP address there. Those were only present to delineate where the IP should go. Thanks!
Lauren, Sorry for misunderstanding... So: root@ip-192-xxx [~]# nmap -sU -sT 192.xxx -p 3306 -bash: nmap: command not found0 -
Hi @Lillike That's fine! It doesn't look like you have nmap installed on the server though. You can run yum -y install nmap
or run it from a terminal with the package installed.0 -
Hi Lauren, That's fine! It doesn't look like you have nmap installed on the server though. You can run
yum -y install nmap
or run it from a terminal with the package installed.
root@ip-192-xxx [~]# nmap -sU -sT 192.xxx -p 3306 Starting Nmap 5.51 ( Nmap: the Network Mapper - Free Security Scanner ) at 2018-06-25 08:16 MST Nmap scan report for ip-192-xxx.ip.secureserver.net (192.xxx) Host is up (0.000096s latency). PORT STATE SERVICE 3306/tcp filtered mysql 3306/udp closed unknown And Sec Adv.'s message same again: The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server"s firewall.0 -
Hi @Lillike And Sec Adv.'s message same again: The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server"s firewall.
That's because we haven't changed anything all I wanted for you to do was check if the port was fully closed.root@ip-192-xxx [~]# nmap -sU -sT 192.xxx -p 3306 Starting Nmap 5.51 (
0
Please sign in to leave a comment.
Comments
11 comments