When querying MySQL in the past, see 3306 is open to all ports, feel insecure.
NETSTAT-ANLP | grep mysql
TCP 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 638/mysqld
UNIX 2 [ACC] STREAM listening 12305521 638/mysqld/tmp/mysql.sock
Of course, also wanted to use iptables to achieve, but it seems still not.
iptables-a input-p tcp-s $ANY--dport 3306-j DROP
Quote Chinaunix article saying:
* Security Configuration * For data security, you can consider MySQL only waiting on the 127.0.0.1, so that the database cannot be accessed directly from the Internet.
Modify the/etc/init.d/mysql file to find the following line in the start section $bindir/mysqld_safe--datadir= $datadir--pid-file= $pid _file &
Modified into
$bindir/mysqld_safe--datadir= $datadir--pid-file= $pid _file--bind-address=127.0.0.1 &
Re-start MySQL
/etc/init.d/mysql restart
Finally Netstat-l confirm:
TCP 0 0 Localhost:mysql *:* LISTEN
Ok
And I modified/etc/init.d/mysq to find:
Put the original
$bindir/mysqld_safe--datadir= $datadir--pid-file= $pid _file >/dev/null 2>&1 &
Into
$bindir/mysqld_safe--datadir= $datadir--pid-file= $pid _file--bind-address=127.0.0.1 &
Restart Mysql:/etc/init.d/mysql restart
Post-View implementation: Natstat-l
TCP 0 0 localhost.localdo:mysql *:* LISTEN