| 1 |
On Tuesday 29 April 2008, kashani wrote: |
| 2 |
> Peter Humphrey wrote: |
| 3 |
> > Having just installed mysql on my server, I've found that I have to set |
| 4 |
> > bind-address = 0.0.0.0 in /etc/mysql/my.cnf to enable me to connect to |
| 5 |
> > mysqld over the local network: leaving it at the default 127.0.0.1 causes |
| 6 |
> > connection requests to be rejected. |
| 7 |
> > |
| 8 |
> > Is there a more secure value for this parameter? I want to be able to |
| 9 |
> > connect over either of two network segments, 192.168.2.0/29 and |
| 10 |
> > 192.168.3.0/29, as well as locally on the server box. I've tried a |
| 11 |
> > compound setting in bind-address, but mysqld then refuses to start. |
| 12 |
> > 0.0.0.0 is the only setting I've found so far that lets me in. |
| 13 |
> |
| 14 |
> I generally remove the bind setting so that Mysql listens on all IPs on |
| 15 |
> the box. You can then have firewall rules at your border or locally on |
| 16 |
> the box to control access to 3306. You can also set access on a per user |
| 17 |
> basis within mysql |
| 18 |
> |
| 19 |
> GRANT CREATE,DELETE,INSERT,SELECT,UPDATE PRIVILEGES ON your_db.* TO |
| 20 |
> 'your_user'@'localhost'; |
| 21 |
> GRANT CREATE,DELETE,INSERT,SELECT,UPDATE PRIVILEGES ON your_db.* TO |
| 22 |
> 'your_user'@'192.168.2.%'; |
| 23 |
> |
| 24 |
> and so on. |
| 25 |
> |
| 26 |
> kashani |
| 27 |
|
| 28 |
The --bind-address option works for one IP address only. If you set it to |
| 29 |
127.0.0.1 only connections from localhost will be listened to. If you set it |
| 30 |
to 0.0.0.0 connections from all addresses are listened to. I believe that |
| 31 |
you can have one IP address set by using --bind-address and also have defined |
| 32 |
a unix socket for mysqld to listen to. The unix socket can be set up for |
| 33 |
local connections (you need to allow fs access for the unix socket to the |
| 34 |
mysql client user of course, otherwise the socket will not be accessible). |
| 35 |
|
| 36 |
As others have mentioned the firewall adds security by restricting inbound |
| 37 |
source addresses. |
| 38 |
|
| 39 |
HTH. |
| 40 |
-- |
| 41 |
Regards, |
| 42 |
Mick |
Archives