{"id":22612,"date":"2025-12-01T00:00:51","date_gmt":"2025-11-30T16:00:51","guid":{"rendered":"https:\/\/beyond-shenzhen.cn\/?post_type=blog&p=22612"},"modified":"2026-04-16T11:15:36","modified_gmt":"2026-04-16T03:15:36","slug":"mysql-port-danger","status":"publish","type":"blog","link":"https:\/\/beyond-shenzhen.cn\/en\/blog\/mysql-port-danger\/","title":{"rendered":"\u3010Danger\u3011MySQL Port 3306 Open to External Access"},"content":{"rendered":"

We\u2019ll highlight the most dangerous configuration mistakes that web system and server administrators often make without realizing.<\/p>\n

\u201cBut the website is working fine, so it should be okay, right?\u201d
\n\u201cAnd there\u2019s a password, so it must be safe.\u201d<\/p>\n

Not at all. This kind of negligence can lead to serious security incidents.<\/p>\n

What Happens If Port 3306 Is Exposed to the Internet?<\/h2>\n

Simply put, it\u2019s like leaving the doors of your website or system\u2019s database (MySQL or MariaDB) wide open to the world without any lock.<\/p>\n

These databases often contain sensitive internal information and customer data used by your systems.<\/p>\n

In other words, exposing such critical data online is basically saying: \u201cFeel free to take our data.\u201d<\/p>\n

Even if your website or system is password-protected, these passwords can still be easily cracked through brute-force attacks.<\/p>\n\n\n\n\n\n
Safe Configuration<\/span><\/td>\nDangerous Configuration<\/span><\/td>\n<\/tr>\n
Web Server<\/td>\n3306 port bound to localhost<\/span> or 127.0.0.1<\/span><\/td>\nWeb Server<\/td>\n3306 port bound to 0.0.0.0<\/span> or server\u2019s public IP<\/td>\n<\/tr>\n
External Access<\/td>\nCompletely blocked from external connections<\/td>\nExternal Access<\/td>\nOpen to external connections; anyone can access<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

* 127.0.0.1 is a special IP address reserved by the computer, representing \u201cthe local machine itself.\u201d<\/p>\n

Why Does Such a Configuration Occur?<\/h2>\n

This dangerous setting arises not only from a lack of knowledge but also tends to happen under certain working conditions.<\/p>\n

The mindset of \u201cit\u2019s only temporary\u201d or \u201cit\u2019s working, so it\u2019s fine\u201d often lays the groundwork for serious, irreversible problems.<\/p>\n

The main causes can be categorized as follows.<\/p>\n\n\n\n\n\n\n
Initial setup mistakes<\/td>\nRunning the production system with default tutorial or example settings (e.g., bind-address = 0.0.0.0).<\/td>\n<\/tr>\n
Temporary external service changes forgotten<\/td>\nDatabase connections are temporarily opened to integrate with external analysis or backup tools and then forgotten.<\/td>\n<\/tr>\n
Handover omissions<\/td>\nSettings changed by a predecessor as a \u201ctemporary fix\u201d were not documented and became permanent in production.<\/td>\n<\/tr>\n
External vendor errors<\/td>\nAn outsourced system company accidentally applied test environment settings to production.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Risks of exposing port 3306<\/h2>\n

Exposing port 3306 to the Internet is not just a simple misconfiguration\u2014it poses a serious risk to business operations.<\/p>\n

The specific dangers can be explained from the following perspectives.<\/p>\n

\u2460 Opens a Direct Attack Vector to the Database<\/h3>\n
\r\n-- Attackers can connect to your database directly and execute commands.\r\nDROP TABLE users;\r\nDELETE FROM orders;<\/span><\/span>\r\n<\/code><\/pre>\n
\u2461 Risk of Data Leakage<\/h3>\n
\u3007 Customer data (names, email addresses, contact info)
\n\u3007 Passwords (still risky even if hashed)
\n\u3007 All order history and other sensitive\/confidential data<\/p>\n
\u2462 Complete Site Destruction<\/h3>\n
If the database is deleted, the website will stop functioning (the site may no longer display).<\/p>\n
\u2463 Server Takeover<\/h3>\n
Attackers can pivot from the database into the rest of the system, using your server as a launchpad for further attacks (e.g., ransomware).<\/p>\n
Check Now Whether Port 3306 Is Exposed<\/h2>\n
You can use the online tools or commands below to verify whether MySQL port 3306 is publicly accessible.<\/p>\n
\u2460 Check With Online Tools<\/h3>\n
Use port-checking websites to see if your server IP shows port 3306 as \u201cOPEN\u201d.<\/p>\n
\u3007 ping.eu
\nhttps:\/\/ping.eu\/port-chk<\/a><\/p>\n
\u3007 you get signal
\nhttps:\/\/www.yougetsignal.com\/tools\/open-ports<\/a><\/p>\n
\u2461 Check via Server Command Line<\/h3>\n
If the connection works from within the server, take immediate action.<\/p>\n
telnet [server IP] 3306<\/span>\r\n<\/code><\/pre>\n
Proper Configuration Guide for MySQL Port 3306<\/h2>\n
This guide explains the correct settings for MySQL port 3306, assuming that the web server and database run on the same host.<\/p>\n
* Important: Before making any changes in a production environment, always back up your database. This ensures safety in case of configuration errors.<\/span><\/p>\n
\u2460 Check the Current Configuration<\/h3>\n
Run the following command to view the current settings. If 0.0.0.0<\/span> or your server\u2019s global IP appears, immediate action is required.<\/p>\n
# Check MySQL configuration file * Verify bind-address \r\nsudo grep -r \"bind-address\" \/etc\/mysql\/<\/span>\r\n\r\n# Check which network interface MySQL is currently listening on\r\nsudo netstat -tlnp | grep mysql<\/span>\r\n<\/code><\/pre>\n
[mysqld]
\nbind-address = 127.0.0.1\u3000# This is safe\uff01<\/span>
\n# bind-address = 0.0.0.0\u3000# If it looks like this, it\u2019s dangerous\uff01<\/span><\/p><\/blockquote>\n
\u2461 Edit the MySQL Configuration File<\/h3>\n
Modify the MySQL configuration to allow connections only from localhost.<\/p>\n
# Edit the configuration file (path may vary by environment)\r\nsudo nano \/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/span>\r\n\r\n# Or\r\nsudo nano \/etc\/mysql\/my.cnf<\/span>\r\n<\/code><\/pre>\n
In the MySQL configuration file, locate and update the following lines.<\/p>\n
# Safe setting (confirm or modify to this)\r\nbind-address = 127.0.0.1\r\n\r\n<\/span>\r\n\r\n# Dangerous settings (must be changed if present)\r\n# bind-address = 0.0.0.0\r\n# bind-address = server's public IP <\/span>\r\n<\/code><\/pre>\n
\u2462 Apply the Configuration Changes<\/h3>\n
After saving the MySQL configuration file, restart MySQL to apply the changes.<\/p>\n
# check configuration syntax\uff08Optional but recommended\uff09\r\nsudo mysqld --validate-config<\/span>\r\n\r\n# Restart MySQL service\r\nsudo systemctl restart mysql\r\n\r\n<\/span># Or (depending on your system)\r\nsudo service mysql restart\r\n<\/span>\r\n# Verify MySQL is running properly\r\nsudo systemctl status mysql<\/span>\r\n<\/code><\/pre>\n
\u2463 Verify the Configuration<\/h3>\n
Check if the MySQL changes have been applied correctly.<\/p>\n
# Verify MySQL is responding on the new configuration\r\nsudo netstat -tlnp | grep mysql\r\n\r\n<\/span>\r\n\r\n# Expected output example\uff1a\r\n# tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -\r\n\r\n# Alternatively, check MySQL process info<\/span>\r\nsudo ps aux | grep mysql\r\n<\/span>\r\n<\/code><\/pre>\n
If you see 127.0.0.1:3306<\/span>, the configuration is successful, and the database is now secure from external access.<\/p>\n
Troubleshooting<\/h3>\n
If your website cannot connect to the database after modifying MySQL settings, follow these steps.<\/p>\n
    \n
  1. Check the configuration file syntax \u2013 ensure there are no typos or extra characters.<\/li>\n
  2. Verify your web application’s connection settings \u2013 make sure the host is set to localhost or 127.0.0.1.<\/li>\n
  3. Check MySQL error logs \u2013 review the logs for detailed error messages.<\/li>\n<\/ol>\n
    # View MySQL error log\r\nsudo tail -f \/var\/log\/mysql\/error.log \r\n<\/code><\/pre>\n
    Connecting to the Database From a Remote Environment<\/h2>\n
    To connect to the database remotely, you must restrict access to a trusted fixed IP and use an SSH tunnel.<\/p>\n
    Opening the SSH port without specifying a trusted IP introduces a serious security risk.<\/p>\n
    \u2460 Restrict Access to a Fixed IP on the Database Server<\/h3>\n
    \u3007 RHEL \/ AlmaLinux (using firewalld)<\/p>\n
    # Allow SSH connections only from a trusted fixed IP\r\nsudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"[YOUR_FIXED_IP]\" port port=\"22\" protocol=\"tcp\" accept'\r\nsudo firewall-cmd --permanent --remove-service=ssh\r\nsudo firewall-cmd --reload<\/span>\r\n\r\n# Verify the configuration\r\nsudo firewall-cmd --list-all\r\n<\/span><\/code><\/pre>\n
    \u3007 Ubuntu (using UFW)<\/p>\n
    # Allow SSH connections only from a trusted fixed IP\r\nsudo ufw allow from [YOUR_FIXED_IP] to any port 22<\/span>\r\nsudo ufw deny 22<\/span>\r\nsudo ufw reload#<\/span><\/code><\/pre>\n
    \u2461 Strengthen SSH Configuration<\/h3>\n
    sudo nano \/etc\/ssh\/sshd_config<\/span><\/code><\/pre>\n
    Add or modify the following settings.<\/p>\n
    # Disable password authentication (key-based only)\r\nPasswordAuthentication no<\/span>\r\n\r\n# Restrict login to a specific user from a fixed IP\r\nAllowUsers username@[YOUR_FIXED_IP]<\/span>\r\n\r\n# Disable root login\r\nPermitRootLogin no<\/span><\/code><\/pre>\n
    After saving the changes, restart the SSH service.<\/p>\n
    sudo systemctl restart sshd<\/span><\/code><\/pre>\n
    \u2462 Establish an SSH Tunnel<\/h3>\n
    After restricting access to a fixed IP, connect securely using an SSH tunnel.<\/p>\n
    This ensures all traffic is encrypted through SSH, and MySQL port 3306 is never exposed to the public network.<\/p>\n
    sh -L 3306:localhost:3306 [YOUR_USERNAME]@[SERVER_IP_OR_DOMAIN]<\/span><\/code><\/pre>\n
    Summary<\/h2>\n
    Exposing your database directly to the Internet is like leaving an unlocked safe on the street.<\/p>\n
    To avoid regrettable consequences, make sure to:<\/p>\n
    \u3007 Check that port 3306 is not publicly accessible
    \n\u3007 Immediately fix the configuration if it is exposed
    \n\u3007 Make regular security checks a routine<\/p>\n
    Related Services<\/h3>\n\n\n\n\n\n
    Website Development<\/span><\/td>\nhttps:\/\/beyond-shenzhen.cn\/en\/service\/website<\/a><\/td>\n<\/tr>\n
    Managed Cloud Services<\/span><\/td>\nhttps:\/\/beyond-shenzhen.cn\/en\/service\/server<\/a><\/td>\n<\/tr>\n
    Cloud Business System<\/span><\/td>\nhttps:\/\/beyond-shenzhen.cn\/en\/service\/development<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
     <\/p>\n
    For Website Development and Managed Cloud Services<\/a><\/p>\n
     <\/p>\n","protected":false},"excerpt":{"rendered":"
    We\u2019ll highlight the most dangerous configuration mistakes that web system and server administrators often make without realizing. \u201cBut the website is working fine, so it should be okay, right?\u201d \u201cAnd there\u2019s a password, so it must be safe.\u201d Not at all. This kind of negligence can lead to serious security incidents. What Happens If Port […]<\/p>\n","protected":false},"author":3,"featured_media":22316,"template":"","meta":{"_acf_changed":false,"_locale":"en_US","_original_post":"https:\/\/beyond-shenzhen.cn\/?post_type=blog&p=22269"},"tags":[],"blogcat":[12],"class_list":["post-22612","blog","type-blog","status-publish","has-post-thumbnail","hentry","blogcat-it-web","en-US"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/blog\/22612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/media\/22316"}],"wp:attachment":[{"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/media?parent=22612"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/tags?post=22612"},{"taxonomy":"blogcat","embeddable":true,"href":"https:\/\/beyond-shenzhen.cn\/wp-json\/wp\/v2\/blogcat?post=22612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}