FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » General » Database discussions » binding mysql to localhost (I/O)
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
binding mysql to localhost (I/O) [message #3026] Fri, 07 June 2002 17:45 Go to next message
Olliver   Germany
Messages: 443
Registered: March 2002
Karma: 0
Senior Member
Hi,
I have a question concerning the mysqld. I don't like that it's currently offering its services to all interfaces, so I'd like to bind the daemon just to localhost, so it won't be visible anymore inside of a network. I know that there's a commandline parameter capable of for doing this (mysqld --bind-address=127.0.0.1) but this is quite inconvenient if I want to use the RH specific wrapper (safe_mysqld, kind of a shellskript) as it does not accept this parameter (else I had added it into the initscript). Is there a way to activate the bind feature from /etc/my.cnf ? I believe it should be possible but I haven't found something specific in the manpages.
bye
Ken

[Updated on: Sat, 08 June 2002 10:05]

Report message to a moderator

Re: binding mysql to localhost (I/O) [message #3029 is a reply to message #3026] Fri, 07 June 2002 18:07 Go to previous messageGo to next message
hackie is currently offline  hackie   Canada
Messages: 177
Registered: January 2002
Karma: 0
Senior Member
Core Developer

Ken Kizaki wrote on Fri, 07 June 2002 13:45

Hi,
I have a question concerning the mysqld. I don't like that it's currently offering its services to all interfaces, so I'd like to bind the daemon just to localhost, so it won't be visible anymore inside of a network. I know that there's a commandline parameter capable of for doing this (mysqld --bind-ip=127.0.0.1) but this is quite inconvenient if I want to use the RH specific wrapper (safe_mysqld, kind of a shellskript) as it does not accept this parameter (else I had added it into the initscript). Is there a way to activate the bind feature from /etc/my.cnf ? I believe it should be possible but I haven't found something specific in the manpages.
bye
Ken


Actually there is a number of interesting options, first off all consider turning off mysql tcp/ip support entirly, and just using unix sockets /tmp/mysql.sock, that's certianly going to hide it from network, another option is to use your mysql's server's ip filtering capabilities, for example in linux

iptables -A input -p tcp -d ! 127.0.0.1 tcp --dport 3306 -j DROP
.


cc intelligence.c -o intelligence
$ ./intelligence
Segmentation fault

[Updated on: Fri, 07 June 2002 18:08]

Report message to a moderator

Re: binding mysql to localhost (I/O) [message #3030 is a reply to message #3029] Fri, 07 June 2002 19:12 Go to previous messageGo to next message
Olliver   Germany
Messages: 443
Registered: March 2002
Karma: 0
Senior Member
Hi,
actually my approach till now has been hiding the port using ipchains. My thought was since Apache only looks for the sql daemon locally there's absolutely no need for offering the service to the rest of the network. Since I use the unix sockets anyway (because of performance issues) I should try this proposal with completely disabling TCP/IP. I'll take a look into the documentation how to handle this. Thnx for ur help Smile
bye
Ken
Re: binding mysql to localhost (I/O) [message #3046 is a reply to message #3030] Sat, 08 June 2002 10:20 Go to previous message
Olliver   Germany
Messages: 443
Registered: March 2002
Karma: 0
Senior Member
Hi,
Meanwhile I did a bit of testing and playing around and found the following as the most useful solution:
The arguments can all be conveniently passed over to the daemon via /etc/my.cnf.The following illustrates the section in my.cnf, where the entry has to be made:

Case 1 (binding SQL just to interface I/0):

[mysqld]
[...]
bind-address=127.0.0.1

This will the daemon cause just to listen on the loopback device, so no one in the network will have an idea that there's a daemon at all, because they are accessing the machine from a different interface (eth0, eth1 etc). Makes sense where SQL and httpd are hogging up the same machine.

Case 2 (disabling TCP/IP completely):

[mysqld]
[...]
skip networking

Now SQL only listens on local unix sockets, a solution I do prefer over the first one, because it's always better to reduce the amount of services on a machine (even if they're running on loopback) since it makes it less vulnerable.
bye Ken
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Tip for mysql
Next Topic: Scheduling Actions - Automation 101 question.
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 21 11:27:44 GMT 2024

Total time taken to generate the page: 0.03249 seconds