Date: Tue, 8 May 2012 20:26:59 +0400 From: Peter Vereshagin <peter@vereshagin.org> To: freebsd-questions@freebsd.org Subject: Re: securing MySQL: easiest/best ways? Message-ID: <20120508162659.GC12053@external.screwed.box> In-Reply-To: <898E0B3D-63DD-470C-8F1D-49F478D05C7E@gmail.com> References: <898E0B3D-63DD-470C-8F1D-49F478D05C7E@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello. 2012/05/08 06:49:01 -0700 Paul Beard <paulbeard@gmail.com> => To FreeBSD-questions : PB> Monkeying with IPv6, I discovered that globally routable addresses are what it says on the tin, so hiding behind a network appliance is not longer viable for me. An nmap scan showed the port 3306 was hanging out for all to see but I couldn't figure out how to close it off. The "--skip-networking" argument seems not to work, either in my.cnf or as an rc argument. The server just fails to start. (For some reason the socket is hard-coded to live in /tmp, regardless of what's in my.cnf but I gave up bothering about that.) How can you know for sure that your my.cnf is being taken into the account by mysqld at all? I remember some issues that made me to put a symlink /etc/my.cnf to ..//usr/local/etc/my.cnf ... PB> What I ended up doing was adding PB> PB> mysql_args="--bind-address=127.0.0.1" PB> PB> to /etc/rc.conf. This seems to work as netstat and sockstat no longer show port 3306 listening and database connections are happening. PB> PB> Is this the preferred/best way? I just think locking mysqld into the jail(4) is better. ;-) PB> Are you trying to win an argument or solve a problem? Whatever I may need. -- Peter Vereshagin <peter@vereshagin.org> (http://vereshagin.org) pgp: A0E26627
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120508162659.GC12053>