Question about "MySQL service is currently configured to listen on all interfaces"

kgs

• July 02, 2024 13:10

Howdy,

Out of the blue, my VPS sent me this New Security Advisor notification with High importance:

The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf or use the server’s firewall to restrict access to TCP port “3306”.

When I asked my web host about it, they said:

MySQL should be listening on all interfaces unless you specifically want to change that. Your firewall configuration is set as the default MySQL configuration that all servers are configured with.  Again, we can change it but it isn't recommended by us.

So I'm looking for advice on what to do. To my knowledge, I have no remote MySQL needs. I do Softaculous WP restores from time to time, does that count?

Thanks for your advice.

• 

  kgs

  • July 16, 2024 13:10

  Hey cPRex do you have any thoughts on this? Thanks!

   

  0
• 

  cPRex Jurassic Moderator

  • July 16, 2024 15:28

  Hey there!  Their advice is taken straight from our guide, so it's fine to implement that change to restrict the access:

  https://support.cpanel.net/hc/en-us/articles/360051220893-Security-Advisor-shows-the-warning-The-MySQL-service-is-currently-configured-to-listen-on-all-interfaces

   

  0
• 

  kgs

  • July 16, 2024 16:16

  Seems like my web host was recommending the opposite of what the cPanel guide says, which is why I was confused.

  So, if it were you, you would restrict the access?

  0
• 

  cPRex Jurassic Moderator

  • July 16, 2024 16:23

  Ah, I misread what they were saying.

  Restricted always is always better in my mind than wide-open access.  Unless you need MySQL listening for remote connections all the time, you can make that change.

  0
• 

  kgs

  • July 18, 2024 19:29

  Thank you, cPRex !

   

  0
• 

  kgs

  • July 18, 2024 19:41

  So, I looked at the instructions and then opened my /etc/my.cnf file. The instructions say "Change the bind-address value to 127.0.0.1." Here is what's currently in my my.cnf file:

  [mysqld]
  disable-log-bin=1
  default-authentication-plugin=mysql_native_password
  innodb_file_per_table=1
  performance-schema=0
  # unix_socket=OFF
  open_files_limit=40000
  mysqlx=0
  max_allowed_packet=268435456
  sql_mode="ONLY_FULL_GROUP_BY,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION"
  tmp_table_size=122M
  sort_buffer_size=524288
  max_heap_table_size=122M
  read_buffer_size=262144
  key_buffer_size=134M
  read_rnd_buffer_size=524288
  join_buffer_size=1M
  innodb_log_file_size=512M
  innodb_buffer_pool_instances=2
  innodb_buffer_pool_size=2G
  ~
  ~
  ~
  "my.cnf" 20L, 558C

  So, am I just supposed to add the line

  bind-address=127.0.0.1

  anywhere in the file?

  Thanks!

  0
• 

  cPRex Jurassic Moderator

  • July 18, 2024 21:16

  Yes, anywhere in that "mysqld" will work just fine.

  0
• 

  kgs

  • July 18, 2024 21:53

  I apologize, but I don't understand what you mean. You don't mean inside

  [mysqld]

  like

  [mysqld bind-address=127.0.0.1]

  do you? Rather, you mean anywhere beneath the line

  [mysqld]

  ? Is that right?

  0
• 

  cPRex Jurassic Moderator

  • July 18, 2024 21:57

  The latter - a separate line, under the mysqld section.

  0
• 

  kgs

  • July 18, 2024 22:08

  Thank you! I will give it a try.

  0

Please sign in to leave a comment.