Blog

Dev.To: Is your MySQL server open to the public internet?

February 3, 2024

Is your MySQL server open to the public Internet?

Full article available on DEV.to

According to an article by Shadowserver foundation, there were 2.3 million MySQL server instances on port 3306 that were scanned and found accessible worldwide. I was really surprised by the large number and am pretty certain that most people didn't do this on purpose.

First, let’s talk about the reason why having your MySQL (or any port) accessible on the public internet is an attack surface. Any port which is accessible on a public IP address will be scanned, this is a fact. Once a port has been scanned and found that there is a service responding, then the attacks will begin. These will include brute force attacks of username/password combinations, known exploits of OS and applications, various other known Common Vulnerabilities and Exposures, and new hacks are being developed constantly.

Mitigation

  • You could add a VPN to allow access to the MySQL server to allow you to close the external port on the public IP address.
  • Manage an IP allow list to prevent port scanners from detecting the port. This can be an additional step to adding a VPN to prevent the VPN port from being detected.

Read the complete list of pros and cons for each mitigation option.

The mitigation solutions are not Zero Trust Network Architecture (ZTNA) where you are giving each user access to only the resources to which they are authorized. Least priviledges possible.

Use Remote.It

Remote.It allows you to close the open port while still allowing your people and resources access. When you connect to a resource such as MySQL via Remote.It, you will be given a localhost address and a unique port. You can use this in your development environment connection configuration, database query tools, etc. There is no connecting, disconnecting, and reconnecting when you change locations or your laptop wakes up from sleep. These on demand connections will go idle when you are not actively using it and go active when you do.

Easy to install
  • Simple one line install for most resources
  • Works in the cloud (AWS, Azure, Google Cloud) as well as on-prem servers.
Easy to implement
  • Use the organization feature to create tags on your resources
  • Create roles to define your member permissions (including filtering by tags)
  • Add members to your organization by email address
Easy to maintain in one central location for all of your resources
Easy to audit (Logs are available for connections to your resources)
Can manage this via a Desktop UI or graphQL API
You can also roll this out gradually without needing to do a big switch.

Is your MySQL server exposed?

Use our tool to see if your MySQL server is exposed.

If your MySQL server is exposed, consider implementing the mitigations listed above. The recommendations can be used together. Remote.It accounts are free for up to 5 endpoints.

We support these popular cloud providers:

Have a self-hosted database? We support that as well with options for Windows and Linux distributions. Learn more about Remote.It and get started

If you have any questions, comment below or drop us a line at [email protected]

Read the full article Dev.to Is your MySQL server open to the public Internet?

Related Blogs