【Danger】MySQL Port 3306 Open to External Access

We’ll highlight the most dangerous configuration mistakes that web system and server administrators often make without realizing.

“But the website is working fine, so it should be okay, right?”
“And there’s a password, so it must be safe.”

Not at all. This kind of negligence can lead to serious security incidents.

What happens if port 3306 is exposed to the internet?

Simply put, it’s like leaving the doors of your website or system’s database (MySQL or MariaDB) wide open to the world without any lock.

These databases often contain sensitive internal information and customer data used by your systems.

In other words, exposing such critical data online is basically saying: “Feel free to take our data.”

Even if your website or system is password-protected, these passwords can still be easily cracked through brute-force attacks.

* 127.0.0.1 is a special IP address reserved by the computer, representing “the local machine itself.”

Why does such a configuration occur?

This dangerous setting arises not only from a lack of knowledge but also tends to happen under certain working conditions.

The mindset of “it’s only temporary” or “it’s working, so it’s fine” often lays the groundwork for serious, irreversible problems.

The main causes can be categorized as follows.

Risks of exposing port 3306

Exposing port 3306 to the Internet is not just a simple misconfiguration—it poses a serious risk to business operations.

The specific dangers can be explained from the following perspectives.

① Opens a direct attack vector to the database

-- Attackers can connect to your database directly and execute commands.
DROP TABLE users;
DELETE FROM orders;

② Risk of data leakage

〇 Customer data (names, email addresses, contact info)
〇 Passwords (still risky even if hashed)
〇 All order history and other sensitive/confidential data

③ Complete site destruction

If the database is deleted, the website will stop functioning (the site may no longer display).

④ Server takeover

Attackers can pivot from the database into the rest of the system, using your server as a launchpad for further attacks (e.g., ransomware).

Check now whether port 3306 is exposed

You can use the online tools or commands below to verify whether MySQL port 3306 is publicly accessible.

① Check with online tools

Use port-checking websites to see if your server IP shows port 3306 as “OPEN”.

〇 ping.eu
https://ping.eu/port-chk

〇 you get signal
https://www.yougetsignal.com/tools/open-ports

② Check via server command line

If the connection works from within the server, take immediate action.

telnet [server IP] 3306

Proper configuration guide for MySQL port 3306

This guide explains the correct settings for MySQL port 3306, assuming that the web server and database run on the same host.

* Important: Before making any changes in a production environment, always back up your database. This ensures safety in case of configuration errors.

① Check the current configuration

Run the following command to view the current settings. If 0.0.0.0 or your server’s global IP appears, immediate action is required.

# Check MySQL configuration file * Verify bind-address 
sudo grep -r "bind-address" /etc/mysql/

# Check which network interface MySQL is currently listening on
sudo netstat -tlnp | grep mysql

[mysqld]
bind-address = 127.0.0.1　# This is safe！
# bind-address = 0.0.0.0　# If it looks like this, it’s dangerous！

② Edit the MySQL Configuration File

Modify the MySQL configuration to allow connections only from localhost.

# Edit the configuration file (path may vary by environment)
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

# Or
sudo nano /etc/mysql/my.cnf

In the MySQL configuration file, locate and update the following lines.

# Safe setting (confirm or modify to this)
bind-address = 127.0.0.1



# Dangerous settings (must be changed if present)
# bind-address = 0.0.0.0
# bind-address = server's public IP 

③ Apply the Configuration Changes

After saving the MySQL configuration file, restart MySQL to apply the changes.

# check configuration syntax（Optional but recommended）
sudo mysqld --validate-config

# Restart MySQL service
sudo systemctl restart mysql

# Or (depending on your system)
sudo service mysql restart

# Verify MySQL is running properly
sudo systemctl status mysql

④ Verify the Configuration

Check if the MySQL changes have been applied correctly.

# Verify MySQL is responding on the new configuration
sudo netstat -tlnp | grep mysql



# Expected output example：
# tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -

# Alternatively, check MySQL process info
sudo ps aux | grep mysql

If you see 127.0.0.1:3306, the configuration is successful, and the database is now secure from external access.

Troubleshooting

If your website cannot connect to the database after modifying MySQL settings, follow these steps.

1. Check the configuration file syntax – ensure there are no typos or extra characters.
2. Verify your web application’s connection settings – make sure the host is set to localhost or 127.0.0.1.
3. Check MySQL error logs – review the logs for detailed error messages.

# View MySQL error log
sudo tail -f /var/log/mysql/error.log 

Connecting to the Database from a Remote Environment

To connect to the database remotely, you must restrict access to a trusted fixed IP and use an SSH tunnel.

Opening the SSH port without specifying a trusted IP introduces a serious security risk.

① Restrict Access to a Fixed IP on the Database Server

〇 RHEL / AlmaLinux (using firewalld)

# Allow SSH connections only from a trusted fixed IP
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="[YOUR_FIXED_IP]" port port="22" protocol="tcp" accept'
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

# Verify the configuration
sudo firewall-cmd --list-all

〇 Ubuntu (using UFW)

# Allow SSH connections only from a trusted fixed IP
sudo ufw allow from [YOUR_FIXED_IP] to any port 22
sudo ufw deny 22
sudo ufw reload#

② Strengthen SSH Configuration

sudo nano /etc/ssh/sshd_config

Add or modify the following settings.

# Disable password authentication (key-based only)
PasswordAuthentication no

# Restrict login to a specific user from a fixed IP
AllowUsers username@[YOUR_FIXED_IP]

# Disable root login
PermitRootLogin no

After saving the changes, restart the SSH service.

sudo systemctl restart sshd

③ Establish an SSH Tunnel

After restricting access to a fixed IP, connect securely using an SSH tunnel.

This ensures all traffic is encrypted through SSH, and MySQL port 3306 is never exposed to the public network.

sh -L 3306:localhost:3306 [YOUR_USERNAME]@[SERVER_IP_OR_DOMAIN]

Summary

Exposing your database directly to the Internet is like leaving an unlocked safe on the street.

To avoid regrettable consequences, make sure to:

〇 Check that port 3306 is not publicly accessible
〇 Immediately fix the configuration if it is exposed
〇 Make regular security checks a routine

For website creation, server construction/operation