| binding mysql to localhost (I/O) [message #3026] |
Fri, 07 June 2002 17:45  |
Olliver
Messages: 443
Registered: March 2002
Karma: 0
|
Senior Member |
|
|
Hi,
I have a question concerning the mysqld. I don't like that it's currently offering its services to all interfaces, so I'd like to bind the daemon just to localhost, so it won't be visible anymore inside of a network. I know that there's a commandline parameter capable of for doing this (mysqld --bind-address=127.0.0.1) but this is quite inconvenient if I want to use the RH specific wrapper (safe_mysqld, kind of a shellskript) as it does not accept this parameter (else I had added it into the initscript). Is there a way to activate the bind feature from /etc/my.cnf ? I believe it should be possible but I haven't found something specific in the manpages.
bye
Ken
[Updated on: Sat, 08 June 2002 10:05] Report message to a moderator |
|
|
|
| Re: binding mysql to localhost (I/O) [message #3029 is a reply to message #3026] |
Fri, 07 June 2002 18:07  |
hackie
Messages: 177
Registered: January 2002
Karma: 0
|
Senior Member
Core Developer |
|
|
| Ken Kizaki wrote on Fri, 07 June 2002 13:45 |
Hi,
I have a question concerning the mysqld. I don't like that it's currently offering its services to all interfaces, so I'd like to bind the daemon just to localhost, so it won't be visible anymore inside of a network. I know that there's a commandline parameter capable of for doing this (mysqld --bind-ip=127.0.0.1) but this is quite inconvenient if I want to use the RH specific wrapper (safe_mysqld, kind of a shellskript) as it does not accept this parameter (else I had added it into the initscript). Is there a way to activate the bind feature from /etc/my.cnf ? I believe it should be possible but I haven't found something specific in the manpages.
bye
Ken
|
Actually there is a number of interesting options, first off all consider turning off mysql tcp/ip support entirly, and just using unix sockets /tmp/mysql.sock, that's certianly going to hide it from network, another option is to use your mysql's server's ip filtering capabilities, for example in linux
iptables -A input -p tcp -d ! 127.0.0.1 tcp --dport 3306 -j DROP
.
cc intelligence.c -o intelligence
$ ./intelligence
Segmentation fault
[Updated on: Fri, 07 June 2002 18:08] Report message to a moderator |
|
|
|
|
|
| Re: binding mysql to localhost (I/O) [message #3046 is a reply to message #3030] |
Sat, 08 June 2002 10:20 |
Olliver
Messages: 443
Registered: March 2002
Karma: 0
|
Senior Member |
|
|
Hi,
Meanwhile I did a bit of testing and playing around and found the following as the most useful solution:
The arguments can all be conveniently passed over to the daemon via /etc/my.cnf.The following illustrates the section in my.cnf, where the entry has to be made:
Case 1 (binding SQL just to interface I/0):
[mysqld]
[...]
bind-address=127.0.0.1
This will the daemon cause just to listen on the loopback device, so no one in the network will have an idea that there's a daemon at all, because they are accessing the machine from a different interface (eth0, eth1 etc). Makes sense where SQL and httpd are hogging up the same machine.
Case 2 (disabling TCP/IP completely):
[mysqld]
[...]
skip networking
Now SQL only listens on local unix sockets, a solution I do prefer over the first one, because it's always better to reduce the amount of services on a machine (even if they're running on loopback) since it makes it less vulnerable.
bye Ken
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]