Skip to main content

The MySQL service is currently configured to listen on all interfaces

Comments

23 comments

  • Ra1n3R
    Same here, after the last update (.56 build 20), but under mysql 5.6.30 . I didn't change anything before this last update.
    0
  • adon7969
    Hi have the same issue.
    0
  • hushnun
    Same here, should we put in the entry bind-address=127.0.0.1 into /etc/my.cnf?
    0
  • gmedia01
    What did you guys find out with this message? Chris
    0
  • Legendary
    I am getting this red-highlighted error in the security advisor on two cPanel servers: "The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf" Both servers are running MariaDB 10.0 The database setup was done using cPanel-provided scripts, not manually, so I'm wondering why it has been configured to listen to all interfaces in the first place. Is it safe to go ahead and make the suggested change?

    Only if you want to restrict MySQL access to applications/software hosted on the same server. Remote MySQL won't work if you add that line to my.cnf.
    0
  • AM2015
    Same here, should we put in the entry bind-address=127.0.0.1 into /etc/my.cnf?

    I don't know but I couldn't find any reason not to - so I added that line & restarted MySQL... and as far as I can tell everything on my server still works. So it seems like a good idea. I'm currently running MySQL v. 5.6.30 I do wish that the Security Advisor would be more informative with its alerts -- a link to a help page with a simple explanation as to what the risks created are, and what circumstances might be reasons not to implement the suggested change -- would be nice.
    0
  • jettdigitals
    I do wish that the Security Advisor would be more informative with its alerts

    Same here, since this was "high alert" got text message and woke me up way too early:) Simple link to a help page would have allowed me to get back to sleep...
    0
  • HowardE
    Only if you want to restrict MySQL access to applications/software hosted on the same server. Remote MySQL won't work if you add that line to my.cnf.

    Other than this, going to the /etc/my.cnf file and adding bind-address=127.0.0.1 then restarting MySQL (home > Restart Services > SQL Server (MySQL)) you should be good.
    0
  • rpvw
    I also suddenly got this warning (email and Security Advisor) after updating to cPanel from 56.0.17 to 56.0.18 I added the line in my.cnf as instructed and restarted MySQL (5.6.30) and everything appears to be working fine, but I have not tried rebooting the server to see if the change to my.cnf is persistent.
    0
  • morrow95
    Only if you want to restrict MySQL access to applications/software hosted on the same server. Remote MySQL won't work if you add that line to my.cnf.

    Add me to the list as well. High alerts early this morning and in my case MariaDB on remote server. Correct me if I am wrong, but when you setup remote database you are supposed to comment out 'bind-address' - at least that is what I remember - right? I agree with with everyone else, a link with more information and possible caveats such as this would go a long way.
    0
  • rpvw
    Perhaps my following comments would best be split into a new thread - but since they sort of started here, I shall leave it to the forum staff to decide: The Home " Security Center " Security Advisor loops through a list of built-in assessors which report to screen. The Home " Server Contacts " Contact Manager > Notifications has just one switch (Security Advisor State Change) that covers all the Assessors. I have no idea why the Assessors started to bitch about MySQL bind addresses, I could see nothing in the change logs that indicated something would provoke this new behavior. Nevertheless, perhaps what we need to see is either a new interpretation of the Contact Manager/Notifications that breaks out all the Assessors into the same screen and then has an extra column for the admin to include in either the alert list and/or the security advisor >>OR<< The equivalent of the Contact Manager/Notifications page but exclusively for the Security Assessors with simple toggle states beside each >>OR<< Some flat file or database that can be edited to decide which assessors are included in the Security Advisor tests.
    0
  • Ra1n3R
    any news about it?
    0
  • dalem
    Choose to ignore as you should be running a firewall with the mysql port closed with remote mysql users IP's white-listed anyway, so its really not a security issue. If you have no use for remote MySQL then yes enable it But I would bet many Operators have remote MySQL users I know we do as well as MySQL replication and it would break them all. So maybe the check needs to be rewritten so it checks to see if the MySQL port is even open before scarring all the novice users :(
    0
  • alexzorba
    I received the following message from cpanel The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf Can someone explain whats this error means ? How to bind address here in 127.0.0.1 ? Does it affect my remotemysql ?
    0
  • Tool Outfitters
    It appears that the default used to be bind-address=0.0.0.0. Source: MySQL :: MySQL 5.6 Reference Manual :: 5.1.3 Server Command Options The server treats different types of addresses as follows: [LIST]
  • If the address is *, the server accepts TCP/IP connections on all server host IPv6 and IPv4 interfaces if the server host supports IPv6, or accepts TCP/IP connections on all IPv4 addresses otherwise. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is permitted (and is the default) as of MySQL 5.6.6.
  • If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. This is the default before MySQL 5.6.6.
  • If the address is ::, the server accepts TCP/IP connections on all server host IPv4 and IPv6 interfaces.
  • If the address is an IPv4-mapped address, the server accepts TCP/IP connections for that address, in either IPv4 or IPv6 format. For example, if the server is bound to ::ffff:127.0.0.1, clients can connect using --host=127.0.0.1 or --host=::ffff:127.0.0.1.
  • If the address is a "regular" IPv4 or IPv6 address (such as 127.0.0.1 or ::1), the server accepts TCP/IP connections only for that IPv4 or IPv6 address.
  • 0
  • Michael-Inet
    > the default used to be bind-address=0.0.0.0. > If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. This is the default before MySQL 5.6.6. > If the address is *, the server accepts TCP/IP connections on all server host IPv6 and IPv4 interfaces Basically nothing changed to the config, but now we get high alert spammed by cPanel to break everyone's remote MySQL setups :( Nice Job cPanel!
    0
  • Gauravk
    After so many replies, nobody care to answer this properly on how to get rid of this issue! I am not as techy as few guys here but managing a car community and scared if this might cause a security issue? I have below two issues and appreciate if someone can explain properly how to get rid of this bind-address? Thanks in advance.
      ]
    • No symlink protection detectedYou do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following
    0
  • Michael-Inet
    appreciate if someone can explain properly how to get rid of this bind-address? The MySQL service is currently configured to listen on all interfaces: (bind-address=*)Configure bind-address=127.0.0.1 in /etc/my.cnf

    Hi Gauravk, You will need to confer with whoever setup your cPanel/WHM software AND whoever has setup the rest of your IT infrastructure to determine this, as anybody outside of your organization won't know enough to tell you what to do. It's basically a binary decision: - IF! your MySQL service is used by NO applications/processes/backups that are external to your server then just follow the instructions given in the cPanel message. - DO NOT follow the instructions given in the cPanel message if your MySQL service is used by anything external to your server. Hope that helps. Best, Michael
    0
  • cPanelMichael
    Hello, Internal case CPANEL-6125 is open to address the confusion generated when Security Advisor issues a warning about MySQL listening on all interfaces. There's currently no specific time frame to offer on a resolution, but I will update this thread as more information becomes available. The current workaround is to manually add the "bind-address=127.0.0.1" line to your /etc/my.cnf file and then restart the MySQL server. Note that MySQL will listen for TCP/IP connections only locally on the loopback interface and will not accept remote connections when this line is added to the /etc/my.cnf file. Thank you.
    0
  • Chris Sigfrid
    If you are using remote sql services, binding to localhost i.e. 127.0.0.1, breaks the remote white list in whm. We tried adding remote ip's to /etc/my.cnf ... to no avail. If you are not using remote services, add it to /etc/my.cnf For sure needs a rewrite or tweak
    0
  • Chris Sigfrid
    I received the following message from cpanel The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf Can someone explain whats this error means ? How to bind address here in 127.0.0.1 ? Does it affect my remotemysql ?

    Hi Alex, yes it does affect remote connections. Any ip's in the white list will be broken. It turns off remote connections. After doing an update lost all remote services, after update. MySQL listens on single socket for any TCP/IP connections Comment out for quick fix #bind-address=127.0.0.1 or change to 0.0.0.0 For long term solution enable remote, until this is updated Here is a couple solutions via firewall/iptable rules cyberciti.biz/faq/unix-linux-mysqld-server-bind-to-more-than-one-ip-address/ vultrcoupons.com/2015/07/05/under-centos-server-mysql-bind-multiple-ip-address/ Other options are Rest/Soap API
    0
  • twhiting9275
    Yeah, seems like cPanel screwed up horribly on this one. It's sad that, rather than fix this properly, this is still getting ignored. Isolating your service to localhost is great, except it's not appropriate in every case. Allowing MySQL to listen to every interface is not a security risk, not at all.
    0
  • cPanelMichael
    Hello, I've added a comment to the internal case to note the additional feedback to this thread. Here's the relevant code from Security Advisor where this check occurs for anyone interested: [SPOILER="SecurityAdvisor - sub _check_for_public_bind_address">
    sub _check_for_public_bind_address { my $self = shift; my $mycnf = Cpanel::MysqlUtils::MyCnf::Full::etc_my_cnf(); my $bind_address = $mycnf->{'mysqld'}->{'bind-address'}; my $port = $mycnf->{'mysqld'}->{'port'} || '3306'; my @deny_rules = grep { /--dport \Q$port\E/ && /-j (DROP|REJECT)/ } split /\n/, Cpanel::SafeRun::Errors::saferunnoerror( '/sbin/iptables', '--list-rules' ); my @deny_rules_6 = grep { /--dport \Q$port\E/ && /-j (DROP|REJECT)/ } split /\n/, Cpanel::SafeRun::Errors::saferunnoerror( '/sbin/ip6tables', '--list-rules' ); # From: http://dev.mysql.com/doc/refman/5.5/en/server-options.html # The server treats different types of addresses as follows: # # If the address is *, the server accepts TCP/IP connections on all server # host IPv6 and IPv4 interfaces if the server host supports IPv6, or accepts # TCP/IP connections on all IPv4 addresses otherwise. Use this address to # permit both IPv4 and IPv6 connections on all server interfaces. This value # is permitted (and is the default) as of MySQL 5.6.6. # # If the address is 0.0.0.0, the server accepts TCP/IP connections on all # server host IPv4 interfaces. This is the default before MySQL 5.6.6. # # If the address is ::, the server accepts TCP/IP connections on all server # host IPv4 and IPv6 interfaces. # # If the address is an IPv4-mapped address, the server accepts TCP/IP # connections for that address, in either IPv4 or IPv6 format. For example, # if the server is bound to ::ffff:127.0.0.1, clients can connect using # --host=127.0.0.1 or --host=::ffff:127.0.0.1. # # If the address is a "regular" IPv4 or IPv6 address (such as 127.0.0.1 or # ::1), the server accepts TCP/IP connections only for that IPv4 or IPv6 # address. if ( defined($bind_address) ) { my $version = ( Cpanel::IP::Parse::parse($bind_address) )[0]; if ( Cpanel::IP::Loopback::is_loopback($bind_address) ) { $self->add_good_advice( text => "MySQL is listening only on a local address." ); } elsif ( ( ( $version == 4 ) && @deny_rules && ( ( $bind_address =~ /ffff/i ) ? @deny_rules_6 : 1 ) ) || ( ( $version == 6 ) && @deny_rules_6 ) || ( csf_port_closed($port) ) ) { $self->add_good_advice( text => "The MySQL port is blocked by the firewall, effectively allowing only local connections." ); } else { $self->add_bad_advice( text => "The MySQL service is currently configured to listen on a public address: (bind-address=$bind_address)", suggestion => [ 'Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port [_1] in the server"s firewall.', $port ], ); } } else { if ( ( @deny_rules && @deny_rules_6 ) || ( csf_port_closed($port) ) ) { $self->add_good_advice( text => "The MySQL port is blocked by the firewall, effectively allowing only local connections." ); } else { $self->add_bad_advice( text => 'The MySQL service is currently configured to listen on all interfaces: (bind-address=*)', suggestion => [ 'Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port [_1] in the server"s firewall.', $port ], ); } } return 1; }
    The Security Advisor GitHub commit for this change is located at: Add warning when MySQL is listening on a public address I'll update this thread with more information as it becomes available. Thank you.
    0

Please sign in to leave a comment.