On Tuesday 29 April 2008, kashani wrote: > Peter Humphrey wrote: > > Having just installed mysql on my server, I've found that I have to set > > bind-address = 0.0.0.0 in /etc/mysql/my.cnf to enable me to connect to > > mysqld over the local network: leaving it at the default 127.0.0.1 causes > > connection requests to be rejected. > > > > Is there a more secure value for this parameter? I want to be able to > > connect over either of two network segments, 192.168.2.0/29 and > > 192.168.3.0/29, as well as locally on the server box. I've tried a > > compound setting in bind-address, but mysqld then refuses to start. > > 0.0.0.0 is the only setting I've found so far that lets me in. > > I generally remove the bind setting so that Mysql listens on all IPs on > the box. You can then have firewall rules at your border or locally on > the box to control access to 3306. You can also set access on a per user > basis within mysql > > GRANT CREATE,DELETE,INSERT,SELECT,UPDATE PRIVILEGES ON your_db.* TO > 'your_user'@'localhost'; > GRANT CREATE,DELETE,INSERT,SELECT,UPDATE PRIVILEGES ON your_db.* TO > 'your_user'@'192.168.2.%'; > > and so on. > > kashani
The --bind-address option works for one IP address only. If you set it to 127.0.0.1 only connections from localhost will be listened to. If you set it to 0.0.0.0 connections from all addresses are listened to. I believe that you can have one IP address set by using --bind-address and also have defined a unix socket for mysqld to listen to. The unix socket can be set up for local connections (you need to allow fs access for the unix socket to the mysql client user of course, otherwise the socket will not be accessible). As others have mentioned the firewall adds security by restricting inbound source addresses. HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
