Date: Tue, 08 May 2012 15:34:02 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: securing MySQL: easiest/best ways? Message-ID: <4FA92EDA.3090809@infracaninophile.co.uk> In-Reply-To: <898E0B3D-63DD-470C-8F1D-49F478D05C7E@gmail.com> References: <898E0B3D-63DD-470C-8F1D-49F478D05C7E@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5668FE4FC45445B6F4D45DE8
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 08/05/2012 14:49, Paul Beard wrote:
> Monkeying with IPv6, I discovered that globally routable addresses
> are what it says on the tin, so hiding behind a network appliance is
> not longer viable for me. An nmap scan showed the port 3306 was
> hanging out for all to see but I couldn't figure out how to close it
> off. The "--skip-networking" argument seems not to work, either in
> my.cnf or as an rc argument. The server just fails to start. (For
> some reason the socket is hard-coded to live in /tmp, regardless of
> what's in my.cnf but I gave up bothering about that.)
>=20
> What I ended up doing was adding
>=20
> mysql_args=3D"--bind-address=3D127.0.0.1"
>=20
> to /etc/rc.conf. This seems to work as netstat and sockstat no longer
> show port 3306 listening and database connections are happening.
>=20
> Is this the preferred/best way?
You have been restarting mysql to test changes to my.cnf? You have to
do a full restart to get mysql to re-read the config file. If you need
to reconfigure without interrupting service, you can set most parameters
at runtime using mysql(1).
Sounds almost as if the my.cnf you've been editing is not the my.cnf
that your mysql instance is using. IIRC there was some talk about
moving from the usual BSD-ish /var/db/mysql/my.cnf to
/usr/local/etc/my.cnf (no doubt under some insidious influence from Linux=
=2E)
skip-networking certainly should leave you with just the unix domain
socket. Alternatively you can bind mysql's network socket to a specific
interface -- so if you bind it to the loopback, it should make it
inaccessible from the network.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enig5668FE4FC45445B6F4D45DE8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+pLuEACgkQ8Mjk52CukIxjAgCeP+CRzFzRQFzxvl7l+bK1XKqZ
IP0AniwzbbHl8Wyly3JwJMFUqDMfksum
=4+Mh
-----END PGP SIGNATURE-----
--------------enig5668FE4FC45445B6F4D45DE8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FA92EDA.3090809>