Configuring Linux Plesk to drop external MySQL connections

By default, your MySQL server can be wide open to the internet accepting connections from everyone. With some brute force and bad passwords on your part, there will be a hack party in your database. The best thing to do is to block all external connections to your MySQL port (3306) and allow only internal (localhost) connections. This will allow your web applications to continue to run while rejecting all outsiders. And if needed, you can allow one or more external static IPs to connection, however this is not addressed here.

Using the Plesk firewall module is one way to block external connections, however it is simply a lame web interface to the iptables command. The best way to block external connections is to run the following commands as root.

# this command makes sure everything on localhost works
 iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
# block all external connection attempts to MySQL
 iptables -A INPUT -p tcp --destination-port 3306 -j REJECT
 /etc/init.d/iptables save
 /etc/init.d/iptables restart


#check the new definitions
 iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:mysql reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

You can test your work from another server by running: nmap

2 Comments

  1. Brad Ridgeway

    Europheus,

    I tried the iptables -A INPUT -p tcp –destination-port 3306 -j REJECT command and I got a syntax error. Can you please advise?

    Thanks,

    Brad

    Reply
  2. europheus

    My guess is that your version of Linux is not supporting this full command. Try “man iptables” and see which token is not supported, and maybe there is a workaround on your operating system.

    Reply

Cancel reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.