Something opens port 3306 on reboot

Discussion in 'Server Operation' started by counterpoint, Nov 9, 2010.

  1. counterpoint

    counterpoint New Member

    I'm running a Debian based web server (much of it set up using how to help) that I thought was pretty secure. It has an iptables setup that blocks everything by default and opens very little.

    But I have discovered that on reboot, port 3306 is being opened. What could be doing this? Running my iptables script again closes the port. The script is in /etc/network/if-up.d/ so should run during startup.

    Restarting MySQL does not cause the port to be opened. What could be opening the port? How can I find out?
  2. falko

    falko Super Moderator ISPConfig Developer

    Is there anything in /etc/rc.local that could be doing this?
  3. counterpoint

    counterpoint New Member

    No, it does nothing. But I can now answer the question myself, for the record. It demonstrates two issues that might cause trouble for others who share my limited understanding.

    The opening of port 3306 was by MySQL itself. The default my.cnf in the [mysqld] section has a line "bind-address =" which I have been in the habit of commenting out. The problem with this line is that it can get in the way of setting up things like an SSH tunnel. But I did not adequately comprehend the preceding comment. The bind-address restriction has apparently superseded the use of skip-networking. But for the kind of configurations I need, it is essential to reinstate skip-networking otherwise MySQL will open port 3306 to the world at large, apparently after iptables has closed it.

    The other problem that I stumbled across around the same time could have been fatal in combination with port 3306. On installation, MySQL creates not just one root user, but three root users. They have different hosts. One is @localhost, another is @ and the third is If setting passwords is skipped during initial installation, and the common advice is followed to set the root password using mysqladmin, only the password for [email protected] is set. The others will remain without a password, and therefore highly vulnerable.

    Incidentally, I skipped password setting during installation largely because the terminal in use was by default not fully compatible with the character set used by the server, a problem that showed up in the use of graphic characters for the password setting screens.
  4. kn

    kn Banned

    lsof -i | grep LISTEN
    lsof -P | grep LISTEN
    netstat -pn -l -A inet
    netstat -pn -l inet

Share This Page