Security Advisor: close port 3306 in the server’s firewall

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
I received the following message on Security Advisor panel in WHM:

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.

So, the following prepared:

/etc/my.cnf edited by nano: skip-networking and mysql service restarted.
and the following command added:
# iptables -A INPUT -p tcp --dport 3306

Now the server restarted and the received the message same as above on Security Advisor.

Please, advice.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Hi @Lillike

I'm a bit confused at what you did here why did you add skip-networking rather than configure the bind address. The iptables rule you've listed doesn't close 3306 there's no DROP in place. To block a port in iptables directly the rule should be something like:

Code:
iptables -A INPUT -p tcp --dport 3306 -j DROP
-A = append one or more rules to the end of the chain
INPUT = inbound connections
-p = protocol in this instance it's tcp
--dport = destination port - in this instance it's port 3306
-j = This specifies the target of the rule; i.e., what to do if the packet matches it. DROP is specified so the packet is dropped.


Thanks!
 

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
Hello Lauren,

Code:
iptables -A INPUT -p tcp --dport 3306 -j DROP
The above command added.
And the following message sent again by Sec. Adv.:

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.

Please, advice.
 

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
The server had been restarted.



[email protected] [~]# iptables -L -n |grep 3306
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
[email protected] [~]# cat /etc/my.cnf
[mysqld]
innodb_file_per_table=1
max_allowed_packet=268435456
innodb_buffer_pool_size=134217728
open_files_limit=10000
default-storage-engine=MyISAM
skip-networking
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Hi @Lillike

Just to confirm based on this you've added the iptables rule only and not anything to my.cnf.

Can you provide the output of the following:

Code:
 nmap -sU -sT <yourIPHere> -p 3306
Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Hi @Lillike

That's fine! It doesn't look like you have nmap installed on the server though. You can run
Code:
yum -y install nmap
or run it from a terminal with the package installed.
 

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
Hi Lauren,

That's fine! It doesn't look like you have nmap installed on the server though. You can run
Code:
yum -y install nmap
or run it from a terminal with the package installed.

[email protected] [~]# nmap -sU -sT 192.xxx -p 3306

Starting Nmap 5.51 ( Nmap: the Network Mapper - Free Security Scanner ) at 2018-06-25 08:16 MST
Nmap scan report for ip-192-xxx.ip.secureserver.net (192.xxx)
Host is up (0.000096s latency).
PORT STATE SERVICE
3306/tcp filtered mysql
3306/udp closed unknown



And Sec Adv.'s message same again:
The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston
Hi @Lillike

And Sec Adv.'s message same again:
The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.
That's because we haven't changed anything all I wanted for you to do was check if the port was fully closed.

[email protected] [~]# nmap -sU -sT 192.xxx -p 3306

Starting Nmap 5.51 ( Nmap: the Network Mapper - Free Security Scanner ) at 2018-06-25 08:16 MST
Nmap scan report for ip-192-xxx.ip.secureserver.net (192.xxx)
Host is up (0.000096s latency).
PORT STATE SERVICE
3306/tcp filtered mysql
3306/udp closed unknown
based on this the port is only filtered, since I know we closed it for inbound connections we'll also need to close it for outbound connections. Something like the following should suffice:

Code:
iptables -A OUTPUT -p tcp --dport 3306 -j DROP