The MySQL service is currently configured to listen on all interfaces

Chris Sigfrid

Registered
Jul 13, 2016
2
0
1
mn
cPanel Access Level
Root Administrator
If you are using remote sql services, binding to localhost i.e. 127.0.0.1, breaks the remote white list in whm.
We tried adding remote ip's to /etc/my.cnf ... to no avail.
If you are not using remote services, add it to /etc/my.cnf
For sure needs a rewrite or tweak
 

Chris Sigfrid

Registered
Jul 13, 2016
2
0
1
mn
cPanel Access Level
Root Administrator
I received the following message from cpanel

The MySQL service is currently configured to listen on all interfaces: (bind-address=*) Configure bind-address=127.0.0.1 in /etc/my.cnf

Can someone explain whats this error means ?

How to bind address here in 127.0.0.1 ?

Does it affect my remotemysql ?

Hi Alex, yes it does affect remote connections.
Any ip's in the white list will be broken.
It turns off remote connections.
After doing an update lost all remote services, after update.
MySQL listens on single socket for any TCP/IP connections
Comment out for quick fix
#bind-address=127.0.0.1 or change to 0.0.0.0
For long term solution enable remote, until this is updated
Here is a couple solutions via firewall/iptable rules
cyberciti.biz/faq/unix-linux-mysqld-server-bind-to-more-than-one-ip-address/
vultrcoupons.com/2015/07/05/under-centos-server-mysql-bind-multiple-ip-address/

Other options are Rest/Soap API
 
Last edited by a moderator:

twhiting9275

Well-Known Member
Sep 26, 2002
560
28
178
cPanel Access Level
Root Administrator
Twitter
Yeah, seems like cPanel screwed up horribly on this one. It's sad that, rather than fix this properly, this is still getting ignored.
Isolating your service to localhost is great, except it's not appropriate in every case.
Allowing MySQL to listen to every interface is not a security risk, not at all.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

I've added a comment to the internal case to note the additional feedback to this thread.

Here's the relevant code from Security Advisor where this check occurs for anyone interested:

Code:
sub _check_for_public_bind_address {
    my $self = shift;

    my $mycnf        = Cpanel::MysqlUtils::MyCnf::Full::etc_my_cnf();
    my $bind_address = $mycnf->{'mysqld'}->{'bind-address'};
    my $port         = $mycnf->{'mysqld'}->{'port'} || '3306';

    my @deny_rules   = grep { /--dport \Q$port\E/ && /-j (DROP|REJECT)/ } split /\n/, Cpanel::SafeRun::Errors::saferunnoerror( '/sbin/iptables',  '--list-rules' );
    my @deny_rules_6 = grep { /--dport \Q$port\E/ && /-j (DROP|REJECT)/ } split /\n/, Cpanel::SafeRun::Errors::saferunnoerror( '/sbin/ip6tables', '--list-rules' );

    # From: http://dev.mysql.com/doc/refman/5.5/en/server-options.html
    # The server treats different types of addresses as follows:
    #
    # If the address is *, the server accepts TCP/IP connections on all server
    # host IPv6 and IPv4 interfaces if the server host supports IPv6, or accepts
    # TCP/IP connections on all IPv4 addresses otherwise. Use this address to
    # permit both IPv4 and IPv6 connections on all server interfaces. This value
    # is permitted (and is the default) as of MySQL 5.6.6.
    #
    # If the address is 0.0.0.0, the server accepts TCP/IP connections on all
    # server host IPv4 interfaces. This is the default before MySQL 5.6.6.
    #
    # If the address is ::, the server accepts TCP/IP connections on all server
    # host IPv4 and IPv6 interfaces.
    #
    # If the address is an IPv4-mapped address, the server accepts TCP/IP
    # connections for that address, in either IPv4 or IPv6 format. For example,
    # if the server is bound to ::ffff:127.0.0.1, clients can connect using
    # --host=127.0.0.1 or --host=::ffff:127.0.0.1.
    #
    # If the address is a “regular” IPv4 or IPv6 address (such as 127.0.0.1 or
    # ::1), the server accepts TCP/IP connections only for that IPv4 or IPv6
    # address.

    if ( defined($bind_address) ) {
        my $version = ( Cpanel::IP::Parse::parse($bind_address) )[0];

        if ( Cpanel::IP::Loopback::is_loopback($bind_address) ) {
            $self->add_good_advice( text => "MySQL is listening only on a local address." );
        }
        elsif ( ( ( $version == 4 ) && @deny_rules && ( ( $bind_address =~ /ffff/i ) ? @deny_rules_6 : 1 ) ) || ( ( $version == 6 ) && @deny_rules_6 ) || ( csf_port_closed($port) ) ) {
            $self->add_good_advice( text => "The MySQL port is blocked by the firewall, effectively allowing only local connections." );
        }
        else {
            $self->add_bad_advice(
                text       => "The MySQL service is currently configured to listen on a public address: (bind-address=$bind_address)",
                suggestion => [
                    'Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port [_1] in the server’s firewall.',
                    $port
                ],
            );
        }
    }
    else {
        if ( ( @deny_rules && @deny_rules_6 ) || ( csf_port_closed($port) ) ) {
            $self->add_good_advice( text => "The MySQL port is blocked by the firewall, effectively allowing only local connections." );
        }
        else {
            $self->add_bad_advice(
                text       => 'The MySQL service is currently configured to listen on all interfaces: (bind-address=*)',
                suggestion => [
                    'Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port [_1] in the server’s firewall.',
                    $port
                ],
            );
        }
    }

    return 1;
}

The Security Advisor GitHub commit for this change is located at:

Add warning when MySQL is listening on a public address

I'll update this thread with more information as it becomes available.

Thank you.