Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Security Advisor: close port 3306 in the server’s firewall

Discussion in 'Security' started by Lillike, Jun 20, 2018.

  1. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    I received the following message on Security Advisor panel in WHM:

    The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
    Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.

    So, the following prepared:

    /etc/my.cnf edited by nano: skip-networking and mysql service restarted.
    and the following command added:
    # iptables -A INPUT -p tcp --dport 3306

    Now the server restarted and the received the message same as above on Security Advisor.

    Please, advice.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,719
    Likes Received:
    185
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    I'm a bit confused at what you did here why did you add skip-networking rather than configure the bind address. The iptables rule you've listed doesn't close 3306 there's no DROP in place. To block a port in iptables directly the rule should be something like:

    Code:
    iptables -A INPUT -p tcp --dport 3306 -j DROP
    -A = append one or more rules to the end of the chain
    INPUT = inbound connections
    -p = protocol in this instance it's tcp
    --dport = destination port - in this instance it's port 3306
    -j = This specifies the target of the rule; i.e., what to do if the packet matches it. DROP is specified so the packet is dropped.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Hello Lauren,

    The above command added.
    And the following message sent again by Sec. Adv.:

    The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
    Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.

    Please, advice.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,719
    Likes Received:
    185
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    Can you confirm that you've restarted both services then show me the following:

    Code:
    iptables -L -n |grep 3306
    Code:
    cat /etc/my.cnf 
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    The server had been restarted.



    root@ip-192-xxx [~]# iptables -L -n |grep 3306
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
    root@ip-192-xxxx [~]# cat /etc/my.cnf
    [mysqld]
    innodb_file_per_table=1
    max_allowed_packet=268435456
    innodb_buffer_pool_size=134217728
    open_files_limit=10000
    default-storage-engine=MyISAM
    skip-networking
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,719
    Likes Received:
    185
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    Just to confirm based on this you've added the iptables rule only and not anything to my.cnf.

    Can you provide the output of the following:

    Code:
     nmap -sU -sT <yourIPHere> -p 3306
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    root@ip-192-xxx [~]# nmap -sU -sT <192.xxx> -p 3306
    -bash: 192-xxx: No such file or directory
     
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,719
    Likes Received:
    185
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    Can you remove the < > and just put your IP address there. Those were only present to delineate where the IP should go.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Lauren,

    Sorry for misunderstanding...

    So:

    root@ip-192-xxx [~]# nmap -sU -sT 192.xxx -p 3306
    -bash: nmap: command not found
     
  10. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,719
    Likes Received:
    185
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    That's fine! It doesn't look like you have nmap installed on the server though. You can run
    Code:
    yum -y install nmap 
    or run it from a terminal with the package installed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Lillike

    Lillike Active Member

    Joined:
    May 29, 2018
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Hi Lauren,


    root@ip-192-xxx [~]# nmap -sU -sT 192.xxx -p 3306

    Starting Nmap 5.51 ( Nmap: the Network Mapper - Free Security Scanner ) at 2018-06-25 08:16 MST
    Nmap scan report for ip-192-xxx.ip.secureserver.net (192.xxx)
    Host is up (0.000096s latency).
    PORT STATE SERVICE
    3306/tcp filtered mysql
    3306/udp closed unknown



    And Sec Adv.'s message same again:
    The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
    Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.
     
  12. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,719
    Likes Received:
    185
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Lillike

    That's because we haven't changed anything all I wanted for you to do was check if the port was fully closed.

    based on this the port is only filtered, since I know we closed it for inbound connections we'll also need to close it for outbound connections. Something like the following should suffice:

    Code:
    iptables -A OUTPUT -p tcp --dport 3306 -j DROP
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice