MySQL - public open port | BE AWARE!

Hi everyone,

I recently saw some discussions about MySQL on Discord and I’d like to point it out here as well.
If you’re having a database and you’d like to remotely access it; web server → MySQL or anything else.
Make sure you do not allow any IP through that port. Do not allow all IPs. Only allow the IP addresses / subnets you need.
You can get DDoSed on that port and if your database disconnects/freezes for a second, your database will get corrupted - any table that was being accessed at that time / running queries. Even if the connections server <-> database is on localhost but your port is publicly open.
Most of the Layer 7 attacks will not even be noticed by the hosting companies.

This is a mistake I see quite often. Most of the people do not realize it until it’s too late.

That sounds little bit sensationalis “your database will get corrupted”… vs there is a chance that it could…

HOWEVER

I totally agree with your sentiment that allowing global access to your DB server is not going to be a great idea unless you actually need a large number of people on different IP’s to be able to access it AND there is no way to put it behind a VPN. Make sure you have a good root password set on the DB whilst you are at it.

You should NEVER make any service available publicly without considering who needs to access it and from where and apply rules appropriately.

I have Alias’ set up in pfsense for things like “access_to_unifi” and then add customer public IP’s or dynamic dns entries to that alias. The alias is then used to create dynamically updating rules. Works like a charm