From owner-freebsd-questions@FreeBSD.ORG Tue May 8 14:34:13 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E6E4B106564A for ; Tue, 8 May 2012 14:34:13 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 622078FC17 for ; Tue, 8 May 2012 14:34:13 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q48EY9Pc040863 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 8 May 2012 15:34:09 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q48EY9Pc040863 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1336487649; bh=XoEufK4CIEWs+BGIFnZSR2P13RTpaXF7/cecVJP2GOk=; h=Date:From:To:Subject:References:In-Reply-To:Cc:Content-Type: Message-ID:Mime-Version; b=h7qPTld+sG7COK4Mvx/SCciF+Gq4+lsN4XbelBPkdcW7L+o/9EsYeS4Vr4u+XxB+5 w223k2KGrfMV6azbvglhpTLBzqgTV1LNE1q6J5+yfJgI4pR6eUSBa8lX3J3ojgGx8d 8LNEDlyvkuqV718LQyGwu2lhDLaNElTSwkfJOQTw= Message-ID: <4FA92EDA.3090809@infracaninophile.co.uk> Date: Tue, 08 May 2012 15:34:02 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <898E0B3D-63DD-470C-8F1D-49F478D05C7E@gmail.com> In-Reply-To: <898E0B3D-63DD-470C-8F1D-49F478D05C7E@gmail.com> X-Enigmail-Version: 1.4.1 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig5668FE4FC45445B6F4D45DE8" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: securing MySQL: easiest/best ways? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2012 14:34:14 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5668FE4FC45445B6F4D45DE8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 08/05/2012 14:49, Paul Beard wrote: > Monkeying with IPv6, I discovered that globally routable addresses > are what it says on the tin, so hiding behind a network appliance is > not longer viable for me. An nmap scan showed the port 3306 was > hanging out for all to see but I couldn't figure out how to close it > off. The "--skip-networking" argument seems not to work, either in > my.cnf or as an rc argument. The server just fails to start. (For > some reason the socket is hard-coded to live in /tmp, regardless of > what's in my.cnf but I gave up bothering about that.) >=20 > What I ended up doing was adding >=20 > mysql_args=3D"--bind-address=3D127.0.0.1" >=20 > to /etc/rc.conf. This seems to work as netstat and sockstat no longer > show port 3306 listening and database connections are happening. >=20 > Is this the preferred/best way? You have been restarting mysql to test changes to my.cnf? You have to do a full restart to get mysql to re-read the config file. If you need to reconfigure without interrupting service, you can set most parameters at runtime using mysql(1). Sounds almost as if the my.cnf you've been editing is not the my.cnf that your mysql instance is using. IIRC there was some talk about moving from the usual BSD-ish /var/db/mysql/my.cnf to /usr/local/etc/my.cnf (no doubt under some insidious influence from Linux= =2E) skip-networking certainly should leave you with just the unix domain socket. Alternatively you can bind mysql's network socket to a specific interface -- so if you bind it to the loopback, it should make it inaccessible from the network. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig5668FE4FC45445B6F4D45DE8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+pLuEACgkQ8Mjk52CukIxjAgCeP+CRzFzRQFzxvl7l+bK1XKqZ IP0AniwzbbHl8Wyly3JwJMFUqDMfksum =4+Mh -----END PGP SIGNATURE----- --------------enig5668FE4FC45445B6F4D45DE8--