The MySQL service is currently configured to listen on all interfaces

Tom Risager

Well-Known Member
Jul 10, 2012
116
6
18
Copenhagen, Denmark
cPanel Access Level
Root Administrator
I am getting this red-highlighted error in the security advisor on two cPanel servers:

"The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
Configure bind-address=127.0.0.1 in /etc/my.cnf"

Both servers are running MariaDB 10.0

The database setup was done using cPanel-provided scripts, not manually, so I'm wondering why it has been configured to listen to all interfaces in the first place. Is it safe to go ahead and make the suggested change?
 
  • Like
Reactions: Ra1n3R

Legendary

Member
Aug 13, 2015
24
1
3
US
cPanel Access Level
Root Administrator
I am getting this red-highlighted error in the security advisor on two cPanel servers:

"The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
Configure bind-address=127.0.0.1 in /etc/my.cnf"

Both servers are running MariaDB 10.0

The database setup was done using cPanel-provided scripts, not manually, so I'm wondering why it has been configured to listen to all interfaces in the first place. Is it safe to go ahead and make the suggested change?
Only if you want to restrict MySQL access to applications/software hosted on the same server. Remote MySQL won't work if you add that line to my.cnf.
 

AM2015

Active Member
Jan 1, 2015
34
4
58
cPanel Access Level
Root Administrator
Same here, should we put in the entry bind-address=127.0.0.1 into /etc/my.cnf?
I don't know but I couldn't find any reason not to - so I added that line & restarted MySQL... and as far as I can tell everything on my server still works. So it seems like a good idea. I'm currently running MySQL v. 5.6.30

I do wish that the Security Advisor would be more informative with its alerts -- a link to a help page with a simple explanation as to what the risks created are, and what circumstances might be reasons not to implement the suggested change -- would be nice.
 

HowardE

Member
Aug 8, 2015
20
2
53
Florida
cPanel Access Level
Root Administrator
Only if you want to restrict MySQL access to applications/software hosted on the same server. Remote MySQL won't work if you add that line to my.cnf.
Other than this, going to the /etc/my.cnf file and adding

bind-address=127.0.0.1

then restarting MySQL (home > Restart Services > SQL Server (MySQL)) you should be good.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
I also suddenly got this warning (email and Security Advisor) after updating to cPanel from 56.0.17 to 56.0.18

I added the line in my.cnf as instructed and restarted MySQL (5.6.30) and everything appears to be working fine, but I have not tried rebooting the server to see if the change to my.cnf is persistent.
 

morrow95

Well-Known Member
Oct 8, 2006
164
8
168
Only if you want to restrict MySQL access to applications/software hosted on the same server. Remote MySQL won't work if you add that line to my.cnf.
Add me to the list as well. High alerts early this morning and in my case MariaDB on remote server. Correct me if I am wrong, but when you setup remote database you are supposed to comment out 'bind-address' - at least that is what I remember - right?

I agree with with everyone else, a link with more information and possible caveats such as this would go a long way.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
Perhaps my following comments would best be split into a new thread - but since they sort of started here, I shall leave it to the forum staff to decide:

The Home » Security Center » Security Advisor loops through a list of built-in assessors which report to screen.
The Home » Server Contacts » Contact Manager > Notifications has just one switch (Security Advisor State Change) that covers all the Assessors.

I have no idea why the Assessors started to bitch about MySQL bind addresses, I could see nothing in the change logs that indicated something would provoke this new behavior.

Nevertheless, perhaps what we need to see is either a new interpretation of the Contact Manager/Notifications that breaks out all the Assessors into the same screen and then has an extra column for the admin to include in either the alert list and/or the security advisor

>>OR<<

The equivalent of the Contact Manager/Notifications page but exclusively for the Security Assessors with simple toggle states beside each

>>OR<<

Some flat file or database that can be edited to decide which assessors are included in the Security Advisor tests.
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,980
156
368
SLC
cPanel Access Level
DataCenter Provider
Choose to ignore as you should be running a firewall with the mysql port closed with remote mysql users IP's white-listed anyway, so its really not a security issue.

If you have no use for remote MySQL then yes enable it

But I would bet many Operators have remote MySQL users I know we do as well as MySQL replication and it would break them all.


So maybe the check needs to be rewritten so it checks to see if the MySQL port is even open before scarring all the novice users :(
 
  • Like
Reactions: MaraBlue and AM2015

alexzorba

Registered
May 22, 2016
1
0
1
kuwait
cPanel Access Level
Root Administrator
I received the following message from cpanel

The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf

Can someone explain whats this error means ?

How to bind address here in 127.0.0.1 ?

Does it affect my remotemysql ?
 
Nov 13, 2007
11
1
53
It appears that the default used to be bind-address=0.0.0.0.

Source: MySQL :: MySQL 5.6 Reference Manual :: 5.1.3 Server Command Options
The server treats different types of addresses as follows:

  • If the address is *, the server accepts TCP/IP connections on all server host IPv6 and IPv4 interfaces if the server host supports IPv6, or accepts TCP/IP connections on all IPv4 addresses otherwise. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is permitted (and is the default) as of MySQL 5.6.6.

  • If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. This is the default before MySQL 5.6.6.

  • If the address is ::, the server accepts TCP/IP connections on all server host IPv4 and IPv6 interfaces.

  • If the address is an IPv4-mapped address, the server accepts TCP/IP connections for that address, in either IPv4 or IPv6 format. For example, if the server is bound to ::ffff:127.0.0.1, clients can connect using --host=127.0.0.1 or --host=::ffff:127.0.0.1.

  • If the address is a “regular” IPv4 or IPv6 address (such as 127.0.0.1 or ::1), the server accepts TCP/IP connections only for that IPv4 or IPv6 address.
 

Michael-Inet

Well-Known Member
Feb 20, 2014
117
15
68
Nashville, TN, USA
cPanel Access Level
Root Administrator
> the default used to be bind-address=0.0.0.0.
> If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. This is the default before MySQL 5.6.6.

> If the address is *, the server accepts TCP/IP connections on all server host IPv6 and IPv4 interfaces

Basically nothing changed to the config, but now we get high alert spammed by cPanel to break everyone's remote MySQL setups :(


Nice Job cPanel!
 
  • Like
Reactions: MaraBlue

Gauravk

Well-Known Member
Jan 23, 2012
69
0
56
cPanel Access Level
Root Administrator
After so many replies, nobody care to answer this properly on how to get rid of this issue!
I am not as techy as few guys here but managing a car community and scared if this might cause a security issue?

I have below two issues and appreciate if someone can explain properly how to get rid of this bind-address?

Thanks in advance.
  1. No symlink protection detectedYou do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

  2. The MySQL service is currently configured to listen on all interfaces: (bind-address=*)Configure bind-address=127.0.0.1 in /etc/my.cnf
 

Michael-Inet

Well-Known Member
Feb 20, 2014
117
15
68
Nashville, TN, USA
cPanel Access Level
Root Administrator
appreciate if someone can explain properly how to get rid of this bind-address?

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)Configure bind-address=127.0.0.1 in /etc/my.cnf

Hi Gauravk,

You will need to confer with whoever setup your cPanel/WHM software AND whoever has setup the rest of your IT infrastructure to determine this, as anybody outside of your organization won't know enough to tell you what to do. It's basically a binary decision:

- IF! your MySQL service is used by NO applications/processes/backups that are external to your server then just follow the instructions given in the cPanel message.

- DO NOT follow the instructions given in the cPanel message if your MySQL service is used by anything external to your server.

Hope that helps.

Best,
Michael
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello,

Internal case CPANEL-6125 is open to address the confusion generated when Security Advisor issues a warning about MySQL listening on all interfaces. There's currently no specific time frame to offer on a resolution, but I will update this thread as more information becomes available. The current workaround is to manually add the "bind-address=127.0.0.1" line to your /etc/my.cnf file and then restart the MySQL server. Note that MySQL will listen for TCP/IP connections only locally on the loopback interface and will not accept remote connections when this line is added to the /etc/my.cnf file.

Thank you.