By default, your MySQL server can be wide open to the internet accepting connections from everyone. With some brute force and bad passwords on your part, there will be a hack party in your database. The best thing to do is to block all external connections to your MySQL port (3306) and allow only internal (localhost) connections. This will allow your web applications to continue to run while rejecting all outsiders. And if needed, you can allow one or more external static IPs to connection, however this is not addressed here.
Using the Plesk firewall module is one way to block external connections, however it is simply a lame web interface to the iptables command. The best way to block external connections is to run the following commands as root.
This command makes sure everything on localhost works
iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
Block all external connection attempts to MySQL
iptables -A INPUT -p tcp --destination-port 3306 -j REJECT
/etc/init.d/iptables save
/etc/init.d/iptables restart
Check the new definitions
iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
REJECT tcp -- anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You can test your work from another server by running: nmap (serverip)
2 replies on “Configuring Linux Plesk to drop external MySQL connections”
Europheus,
I tried the iptables -A INPUT -p tcp –destination-port 3306 -j REJECT command and I got a syntax error. Can you please advise?
Thanks,
Brad
My guess is that your version of Linux is not supporting this full command. Try “man iptables” and see which token is not supported, and maybe there is a workaround on your operating system.