By default, your MySQL server can be wide open to the internet accepting connections from everyone. With some brute force and bad passwords on your part, there will be a hack party in your database. The best thing to do is to block all external connections to your MySQL port (3306) and allow only internal (localhost) connections. This will allow your web applications to continue to run while rejecting all outsiders. And if needed, you can allow one or more external static IPs to connection, however this is not addressed here.
Using the Plesk firewall module is one way to block external connections, however it is simply a lame web interface to the iptables command. The best way to block external connections is to run the following commands as root.
# this command makes sure everything on localhost works iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT # block all external connection attempts to MySQL iptables -A INPUT -p tcp --destination-port 3306 -j REJECT /etc/init.d/iptables save /etc/init.d/iptables restart #check the new definitions iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- localhost.localdomain localhost.localdomain REJECT tcp -- anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
You can test your work from another server by running: nmap