MySQL: Is it a security risk to deactivate the setting “bind-address”?












3















I have had a problem with a webapp connecting properly to a MySQL server and to solve it i tried to comment out the setting bind-address in the file my.ini.



That seemed to solve the problem, however i was wondering if that is a nogo regarding security. Is that a proper setting for a production environment which of course is access restricted by user/password? And what is the difference between commenting it out and setting it to bind-address=0.0.0.0?










share|improve this question



























    3















    I have had a problem with a webapp connecting properly to a MySQL server and to solve it i tried to comment out the setting bind-address in the file my.ini.



    That seemed to solve the problem, however i was wondering if that is a nogo regarding security. Is that a proper setting for a production environment which of course is access restricted by user/password? And what is the difference between commenting it out and setting it to bind-address=0.0.0.0?










    share|improve this question

























      3












      3








      3








      I have had a problem with a webapp connecting properly to a MySQL server and to solve it i tried to comment out the setting bind-address in the file my.ini.



      That seemed to solve the problem, however i was wondering if that is a nogo regarding security. Is that a proper setting for a production environment which of course is access restricted by user/password? And what is the difference between commenting it out and setting it to bind-address=0.0.0.0?










      share|improve this question














      I have had a problem with a webapp connecting properly to a MySQL server and to solve it i tried to comment out the setting bind-address in the file my.ini.



      That seemed to solve the problem, however i was wondering if that is a nogo regarding security. Is that a proper setting for a production environment which of course is access restricted by user/password? And what is the difference between commenting it out and setting it to bind-address=0.0.0.0?







      mysql security database






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 20 at 9:08









      flixeflixe

      1183




      1183






















          2 Answers
          2






          active

          oldest

          votes


















          4














          The impact of commenting out the setting depends on the value bind-address was set to before.



          Commenting out a setting is the same as setting it to the default value. The manual will show you the default value: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_bind-address




          bind-address

          Default Value:
          *




          The manual also explains what that setting means and how it differs from using 0.0.0.0 :




          If the address is *, the server accepts TCP/IP connections on all server host IPv4 interfaces, and, if the server host supports IPv6, on all IPv6 interfaces. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default. If the option specifies a list of multiple values, this value is not permitted.



          If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. If the option specifies a list of multiple values, this value is not permitted.




          If your server is not secured with a firewall that restricts access to TCP port 3306 (the default port for MySQL) then using either * or 0.0.0.0 will accept incoming connections on all IPv4 addresses the server is configured with, as well as TCP connections on the loopback address 127.0.0.1/8 and * will additionally allow all incoming IPv6 traffic.



          In general it is considered good security practice to only configure the minimum network access for services.

          Both * and 0.0.0.0 are probably overly permissive in many situations, but for instance on a system that should allow remote MySQL access with a single interface/ip-address (i.e. 192.0.2.1) there would be no effective security difference between bind-address = 192.0.2.1 or bind-address = 0.0.0.0 or bind-address = *

          On servers that don't need to allow remote MySQL access (the typical LAMP server) bind-address = ::ffff:127.0.0.1 would be recommended.






          share|improve this answer





















          • 1





            if bind-address is set to 0.0.0.0, applications using localhost might fail if they resolve it to the ipv6 localhost ::1

            – Ferrybig
            Feb 20 at 12:29











          • Which, of course, is every modern operating system that is still supported by its vendor.

            – Michael Hampton
            Feb 20 at 13:14





















          1














          Talking about security, exposing your data to the world is never a nice choice.



          Talking about how to avoid what you did, if your MySQL running on Linux and you have SSH access you can configure a tunnel and no need to expose MySQL to the world.



          Here an example:



          ssh -v -N -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 
          -i ~/.ssh/yourkey.pem -o TCPKeepAlive=no -o ServerAliveInterval=60
          -o ServerAliveCountMax=1
          youruser@yourhost.com -L 3306:127.0.0.1:3306


          In this way, you connect your GUI, or whatever APP you need to connect, to IP 127.0.0.1 port 3306 and it's done.



          If you don't want to use the command line, you can set up most of the GUI to connect your MySQL through SSH tunnel



          Last, if you commenting out bind-address=0.0.0.0 let your mysql listen connections through all IP addresses, not only on localhost (127.0.0.1)






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "2"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f954848%2fmysql-is-it-a-security-risk-to-deactivate-the-setting-bind-address%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            The impact of commenting out the setting depends on the value bind-address was set to before.



            Commenting out a setting is the same as setting it to the default value. The manual will show you the default value: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_bind-address




            bind-address

            Default Value:
            *




            The manual also explains what that setting means and how it differs from using 0.0.0.0 :




            If the address is *, the server accepts TCP/IP connections on all server host IPv4 interfaces, and, if the server host supports IPv6, on all IPv6 interfaces. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default. If the option specifies a list of multiple values, this value is not permitted.



            If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. If the option specifies a list of multiple values, this value is not permitted.




            If your server is not secured with a firewall that restricts access to TCP port 3306 (the default port for MySQL) then using either * or 0.0.0.0 will accept incoming connections on all IPv4 addresses the server is configured with, as well as TCP connections on the loopback address 127.0.0.1/8 and * will additionally allow all incoming IPv6 traffic.



            In general it is considered good security practice to only configure the minimum network access for services.

            Both * and 0.0.0.0 are probably overly permissive in many situations, but for instance on a system that should allow remote MySQL access with a single interface/ip-address (i.e. 192.0.2.1) there would be no effective security difference between bind-address = 192.0.2.1 or bind-address = 0.0.0.0 or bind-address = *

            On servers that don't need to allow remote MySQL access (the typical LAMP server) bind-address = ::ffff:127.0.0.1 would be recommended.






            share|improve this answer





















            • 1





              if bind-address is set to 0.0.0.0, applications using localhost might fail if they resolve it to the ipv6 localhost ::1

              – Ferrybig
              Feb 20 at 12:29











            • Which, of course, is every modern operating system that is still supported by its vendor.

              – Michael Hampton
              Feb 20 at 13:14


















            4














            The impact of commenting out the setting depends on the value bind-address was set to before.



            Commenting out a setting is the same as setting it to the default value. The manual will show you the default value: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_bind-address




            bind-address

            Default Value:
            *




            The manual also explains what that setting means and how it differs from using 0.0.0.0 :




            If the address is *, the server accepts TCP/IP connections on all server host IPv4 interfaces, and, if the server host supports IPv6, on all IPv6 interfaces. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default. If the option specifies a list of multiple values, this value is not permitted.



            If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. If the option specifies a list of multiple values, this value is not permitted.




            If your server is not secured with a firewall that restricts access to TCP port 3306 (the default port for MySQL) then using either * or 0.0.0.0 will accept incoming connections on all IPv4 addresses the server is configured with, as well as TCP connections on the loopback address 127.0.0.1/8 and * will additionally allow all incoming IPv6 traffic.



            In general it is considered good security practice to only configure the minimum network access for services.

            Both * and 0.0.0.0 are probably overly permissive in many situations, but for instance on a system that should allow remote MySQL access with a single interface/ip-address (i.e. 192.0.2.1) there would be no effective security difference between bind-address = 192.0.2.1 or bind-address = 0.0.0.0 or bind-address = *

            On servers that don't need to allow remote MySQL access (the typical LAMP server) bind-address = ::ffff:127.0.0.1 would be recommended.






            share|improve this answer





















            • 1





              if bind-address is set to 0.0.0.0, applications using localhost might fail if they resolve it to the ipv6 localhost ::1

              – Ferrybig
              Feb 20 at 12:29











            • Which, of course, is every modern operating system that is still supported by its vendor.

              – Michael Hampton
              Feb 20 at 13:14
















            4












            4








            4







            The impact of commenting out the setting depends on the value bind-address was set to before.



            Commenting out a setting is the same as setting it to the default value. The manual will show you the default value: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_bind-address




            bind-address

            Default Value:
            *




            The manual also explains what that setting means and how it differs from using 0.0.0.0 :




            If the address is *, the server accepts TCP/IP connections on all server host IPv4 interfaces, and, if the server host supports IPv6, on all IPv6 interfaces. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default. If the option specifies a list of multiple values, this value is not permitted.



            If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. If the option specifies a list of multiple values, this value is not permitted.




            If your server is not secured with a firewall that restricts access to TCP port 3306 (the default port for MySQL) then using either * or 0.0.0.0 will accept incoming connections on all IPv4 addresses the server is configured with, as well as TCP connections on the loopback address 127.0.0.1/8 and * will additionally allow all incoming IPv6 traffic.



            In general it is considered good security practice to only configure the minimum network access for services.

            Both * and 0.0.0.0 are probably overly permissive in many situations, but for instance on a system that should allow remote MySQL access with a single interface/ip-address (i.e. 192.0.2.1) there would be no effective security difference between bind-address = 192.0.2.1 or bind-address = 0.0.0.0 or bind-address = *

            On servers that don't need to allow remote MySQL access (the typical LAMP server) bind-address = ::ffff:127.0.0.1 would be recommended.






            share|improve this answer















            The impact of commenting out the setting depends on the value bind-address was set to before.



            Commenting out a setting is the same as setting it to the default value. The manual will show you the default value: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_bind-address




            bind-address

            Default Value:
            *




            The manual also explains what that setting means and how it differs from using 0.0.0.0 :




            If the address is *, the server accepts TCP/IP connections on all server host IPv4 interfaces, and, if the server host supports IPv6, on all IPv6 interfaces. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default. If the option specifies a list of multiple values, this value is not permitted.



            If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces. If the option specifies a list of multiple values, this value is not permitted.




            If your server is not secured with a firewall that restricts access to TCP port 3306 (the default port for MySQL) then using either * or 0.0.0.0 will accept incoming connections on all IPv4 addresses the server is configured with, as well as TCP connections on the loopback address 127.0.0.1/8 and * will additionally allow all incoming IPv6 traffic.



            In general it is considered good security practice to only configure the minimum network access for services.

            Both * and 0.0.0.0 are probably overly permissive in many situations, but for instance on a system that should allow remote MySQL access with a single interface/ip-address (i.e. 192.0.2.1) there would be no effective security difference between bind-address = 192.0.2.1 or bind-address = 0.0.0.0 or bind-address = *

            On servers that don't need to allow remote MySQL access (the typical LAMP server) bind-address = ::ffff:127.0.0.1 would be recommended.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Feb 20 at 10:58

























            answered Feb 20 at 10:46









            HBruijnHBruijn

            55k1087149




            55k1087149








            • 1





              if bind-address is set to 0.0.0.0, applications using localhost might fail if they resolve it to the ipv6 localhost ::1

              – Ferrybig
              Feb 20 at 12:29











            • Which, of course, is every modern operating system that is still supported by its vendor.

              – Michael Hampton
              Feb 20 at 13:14
















            • 1





              if bind-address is set to 0.0.0.0, applications using localhost might fail if they resolve it to the ipv6 localhost ::1

              – Ferrybig
              Feb 20 at 12:29











            • Which, of course, is every modern operating system that is still supported by its vendor.

              – Michael Hampton
              Feb 20 at 13:14










            1




            1





            if bind-address is set to 0.0.0.0, applications using localhost might fail if they resolve it to the ipv6 localhost ::1

            – Ferrybig
            Feb 20 at 12:29





            if bind-address is set to 0.0.0.0, applications using localhost might fail if they resolve it to the ipv6 localhost ::1

            – Ferrybig
            Feb 20 at 12:29













            Which, of course, is every modern operating system that is still supported by its vendor.

            – Michael Hampton
            Feb 20 at 13:14







            Which, of course, is every modern operating system that is still supported by its vendor.

            – Michael Hampton
            Feb 20 at 13:14















            1














            Talking about security, exposing your data to the world is never a nice choice.



            Talking about how to avoid what you did, if your MySQL running on Linux and you have SSH access you can configure a tunnel and no need to expose MySQL to the world.



            Here an example:



            ssh -v -N -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 
            -i ~/.ssh/yourkey.pem -o TCPKeepAlive=no -o ServerAliveInterval=60
            -o ServerAliveCountMax=1
            youruser@yourhost.com -L 3306:127.0.0.1:3306


            In this way, you connect your GUI, or whatever APP you need to connect, to IP 127.0.0.1 port 3306 and it's done.



            If you don't want to use the command line, you can set up most of the GUI to connect your MySQL through SSH tunnel



            Last, if you commenting out bind-address=0.0.0.0 let your mysql listen connections through all IP addresses, not only on localhost (127.0.0.1)






            share|improve this answer




























              1














              Talking about security, exposing your data to the world is never a nice choice.



              Talking about how to avoid what you did, if your MySQL running on Linux and you have SSH access you can configure a tunnel and no need to expose MySQL to the world.



              Here an example:



              ssh -v -N -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 
              -i ~/.ssh/yourkey.pem -o TCPKeepAlive=no -o ServerAliveInterval=60
              -o ServerAliveCountMax=1
              youruser@yourhost.com -L 3306:127.0.0.1:3306


              In this way, you connect your GUI, or whatever APP you need to connect, to IP 127.0.0.1 port 3306 and it's done.



              If you don't want to use the command line, you can set up most of the GUI to connect your MySQL through SSH tunnel



              Last, if you commenting out bind-address=0.0.0.0 let your mysql listen connections through all IP addresses, not only on localhost (127.0.0.1)






              share|improve this answer


























                1












                1








                1







                Talking about security, exposing your data to the world is never a nice choice.



                Talking about how to avoid what you did, if your MySQL running on Linux and you have SSH access you can configure a tunnel and no need to expose MySQL to the world.



                Here an example:



                ssh -v -N -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 
                -i ~/.ssh/yourkey.pem -o TCPKeepAlive=no -o ServerAliveInterval=60
                -o ServerAliveCountMax=1
                youruser@yourhost.com -L 3306:127.0.0.1:3306


                In this way, you connect your GUI, or whatever APP you need to connect, to IP 127.0.0.1 port 3306 and it's done.



                If you don't want to use the command line, you can set up most of the GUI to connect your MySQL through SSH tunnel



                Last, if you commenting out bind-address=0.0.0.0 let your mysql listen connections through all IP addresses, not only on localhost (127.0.0.1)






                share|improve this answer













                Talking about security, exposing your data to the world is never a nice choice.



                Talking about how to avoid what you did, if your MySQL running on Linux and you have SSH access you can configure a tunnel and no need to expose MySQL to the world.



                Here an example:



                ssh -v -N -o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o NumberOfPasswordPrompts=3 
                -i ~/.ssh/yourkey.pem -o TCPKeepAlive=no -o ServerAliveInterval=60
                -o ServerAliveCountMax=1
                youruser@yourhost.com -L 3306:127.0.0.1:3306


                In this way, you connect your GUI, or whatever APP you need to connect, to IP 127.0.0.1 port 3306 and it's done.



                If you don't want to use the command line, you can set up most of the GUI to connect your MySQL through SSH tunnel



                Last, if you commenting out bind-address=0.0.0.0 let your mysql listen connections through all IP addresses, not only on localhost (127.0.0.1)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Feb 20 at 9:32









                fromthestonefromthestone

                18014




                18014






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f954848%2fmysql-is-it-a-security-risk-to-deactivate-the-setting-bind-address%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?