mySQL remote access hosts with CSF firewall

By | December 13, 2017

DirectAdmin offers the mySQL remote access hosts functionality where you can add remote IP addresses that may have access to your database. This also requires that port TCP 3306 is opened in the firewall of your server, else connection is still not possible. Normally you would open port TCP 3306 in your firewall from all sources to avoid customers complaining their connection does not work after adding an IP address.

The bad thing about this, is that your mySQL database server is accessible for the whole internet. Filtering of access is done within mySQL however it will not protect you against situations where a (zero day) bug in mySQL is exploited. Therefore we created the following script.

This script will read out all remote IP addresses and adds them to the file /etc/csf/mysql.allow. This allow file is included into the /etc/csf/csf.allow file with the result that port TCP 3306 is only opened for those IP addresses that are added as access host within DirectAdmin. Now port TCP 3306 can be closed for the rest of the internet.

But: this script does not work with domainnames or hostnames added as remote hosts. Only IPv4 and IPv6 IP addresses will work. To check the current list of remote hosts use this command:

If the result contains domainnames or hostnames other than the hostname of your server please change those values to IP addresses within DirectAdmin.

Installation:

1. Add this line to /etc/csf/csf.allow:

2. Remove port 3306 from your TCP_IN and TCP6_IN settings in /etc/csf/csf.conf

3. Put this script somewhere on your server (for example /usr/local/):

4. Add the file to your cronjob to run every minute

Now run the script manually for the first time. If there are remote access hosts present you will see CSF restarting. If the output contains “nothing to do” then restart CSF manually to activate the changes made in step 1 and 2.

 

Leave a Reply

Your email address will not be published. Required fields are marked *