background purpose: I want to restrict inbound connection to MYSQL server only for specific host by setting inbound rules of windows firewall.
MYSQL server port is open on 3306.
However, when I open firewall setting, I can see two ports are opened on 3306 and 33060 as follows:
what is that? Should I restrict 33060 as well?
The port for X Protocol (mysqlx_port), supported by clients such as MySQL Shell, MySQL Connectors and MySQL Router, is calculated by multiplying the port used for classic MySQL protocol by 10. For example if the classic MySQL protocol port is the default value of 3306 then the X Protocol port is 33060.
See MySQL Port Reference Tables for more information.
The MySQL X service, is listening on all interfaces, by default over localhost, on TCP port 33060 and clients can connect to it through x protocol. So you need to restrict it for specific host to ban it to connect through x protocol. I suggest use it just for localhost.
You can see open ports by mysql through the following command:
sudo lsof -i -P -n | grep 3306
Related
Im trying to setup MariaDB but my TCP port:3306 is already in use by mySQL which has the same port already. How do I fix this problem or rather how do I change to a different port.
3306 is the default port of both MySQL and MariaDB. You can change the port in either of these servers, using the port option in the server's configuration file.
See https://mariadb.com/kb/en/configuring-mariadb-with-option-files/
What value should you use? It's up to you, as long as no other service is using that port on your server host. You might pick 3307 for example.
All clients that need to connect to MariaDB will need to specify the port too. Most client connectors default to port 3306, and if you want to connect to a MySQL or MariaDB instance that has chosen a non-default port, then you need to specify that port in the client code when it makes a connection.
I am trying to remotely connect to a MySQL server. I have followed advice from (1) and setup a user on the ip address I will be remotely accessing from.
user$ mysql -u TestUser -p -h 129.169.66.149
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '129.169.66.149' (60)
I have checked and the port (default, 3306) is correct and the ip address is correct. MySQL is also running.
From a remote computer, I can successfully ping the server
ping 129.169.66.149
64 bytes from 129.169.66.149: icmp_seq=48 ttl=63 time=1.010 ms
But when I use Telnet:
TELNET 129.169.66.149
Trying 129.169.66.149...
telnet: connect to address 129.169.66.149: Operation timed out
telnet: Unable to connect to remote host
Can anyone advise? Is this a firewall issue?
(1) - https://superuser.com/questions/826896/access-wordpress-mysql-database-remotely
First try to check TCP connection issue, using netcat and telnet : on the mysql server, stop mysqld (to release port 3306) and run netcat on listen mode :
nc -l -p 3306
Now, netcat is listening port 3306 (like mysqld does when it's running) and will show what happen on that port (incoming connections, what's in the wire...).
On your remote computer (mysql client), try to connect to the mysql server host :
telnet 129.169.66.149 3306
or :
nc 129.169.66.149 3306
If this is not working, this is not a mysql server configuration issue but a network issue, and you must check your router firewall rules.
Otherwise, your problem comes from mysql server settings. Check your mysql configuration file for bind-address, and remove them to make mysqld accept clients from any IP address.
The 3306 port on the 129.169.66.149 server is closed you'll have to open this port
Use this reference as a guide http://www.cyberciti.biz/faq/linux-unix-open-ports/
I am trying to access my rds mySql db via 443 only instead of 3306.
After enabling the ssl option on workbench and entering the path to the mysql-ssl-ca-cert.pem I tried to disable tcp 3306 on my security group to insure it connects using 443 but it doesn't.
I can connect using the mysql command line below but yet again it fails once i disable tcp 443 on the security group
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl_ca=rds-ssl-ca-cert.pem
Amazon documentation states:
The SSL support in Amazon RDS is strictly for encrypting the connection between your client and your DB instance; it should not be relied on for authenticating the server.
Does this mean that I can only ever authenticate to mysql db over 3306 and not 443, but the data will be encrypted in transit?
My issue is that my customer won't open 3306 outbound on their firewall but 443 is of course opened. Any help appreciated.
You are confusing SSL and HTTPS. Port 443 is the default port for HTTPS connections. MySQL uses 3306 instead (and can use SSL over this port or any other to encrypt the connection). So, setting up SSL encryption for a MySQL connection doesn't affect the used port.
In order to use a different than the standard port you have to reconfigure the MySQL server, which you probably cannot do with an RDS instance.
It is possible to use tunneling to avoid the default port. In this scenario you have to open an SSH tunnel (MySQL Workbench can do that for you or you use an external program like putty on Windows or ssh on *nix like OSes). With that tunnel in place (which uses port 22 by default but can be configured for any other port if that matters for you) you can then forward access from a local port (here 3306, but can be any) to a remote port (can be any as well). This requires an SSH server on the remote end however.
I want to add to MySql another tcp port that I can connect to that port from my application
I have a duplicate of my application and I'm running them both from the same machine. They both are connected to the MySql server that are running on the same machine. The problem is that the default port 3306 is already taken.
You cannot bind mysqld to listen to multiple ports. The only way you can achieve this is with internal routing rules which would forward the target port to 3306.
If you are on linux, you can achieve this using iptables. iptables is a bundle of fun normally reserved for system administrators though.
Is there a reason why both copies of your application can't connect to the same port 3306? Normally you should be able to have any number of clients connecting.
You can do that with something like this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9005 -j REDIRECT --to-port 9000
Where eth0 is your network dev, 9005 is your "source port", and 9000 the port where your service is running. Oh, that example is for TCP protocol only.
You can find more examples about port redirection
here. Useful site for Linux, btw.
A single mysql instance can host multiple databases. So an alternative for you is that each application connects to the same mysql instance running at port 3306, but each uses a different database name.
I have a MySQL instance running locally on port 3306, but for some legacy apps I also want to make it available on port 3305 (don't ask). Is there an easy way to do this on OS X, so that if I try to connect on either 3305 or 3306 they will both go to the MySQL server on 3306?
You can use ipfw to set up a forwarding rule for port 3305 to send it to port 3306.
ipfw add fwd localhost,3306 tcp from any to any 3305 via en0
My syntax might be a little off and you may have to change it to the actual IP address or add a second rule for it.