Locking down 3306 but allowing cPanel MySQL Allowed IP's

[ryanarvixe]

It's vital that we offer 3306 remote connection as a shared hosting provider, but at the same time, we expose ourselves to constant attacks which seem to have intensified recently.

As per forums.cpanel-net/f354/do-you-allow-remote-mysql-access-157645.html (renamed forums.cpanel-net as the forum wouldn't let me post links)

Adding:

Code: Select all

mysql mysql -e "select Host,User from user where Host!='localhost' group by Host;" | awk {'print "tcp:in:d=3306:s=" $1 "\t# " $2'} | sed "s/\%//g" | egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | grep -v "127.0.0.1" | sort | uniq

To the /etc/csf/csf.allow was some how suppose to only allow X IP's to hit 3306 port based on my reading of it. Doesn't seem to work as I am still able to hit port 3306 remotely, from all locations. Is there any effective way to do what was being described and only allow X IP's to hit 3306.

[ryanarvixe]

Well, I realized why 3306 was still open, it was because of the 3000:3500 wild card in our config. I changed that to 3000:3305,3307:3500. The port is now properly closed, but that line still doesn't allow the IP that I allowed via the cPanel interface into cPanel, even after a restart. Thoughts?

[ryanarvixe]

I can confirm that taking the output of the command and dropping it directly into csf.allow works. I was just wondering if there is a supported way of having this running in csf instead of via an external means, and a way that doesn't require a csf -r every minute or two if I have to pipe the output to csf.allow manually.

mysql mysql -e "select Host,User from user where Host!='localhost' group by Host;" | awk {'print "tcp:in:d=3306:s=" $1 "\t# " $2'} | sed "s/\%//g" | egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | grep -v "127.0.0.1" | sort | uniq
tcp:in:d=3306:s=174.103.119.245 # stats

Thanks!

[SoftDux]

Does that script still work on your servers?