Topic: 3306 open?

[jameswilson]

Was just doing some random tests on my 11 b and noticed port 3306 appears to be open. Have i done something wrong?

[sages]

tcp and/or udp?  3306 used by mysql (or mariadb)
open to where? internet, private network?
server only, server gateway?
we don't know what you have or haven't done
more clues could narrow the hunt for answers

[Gary Douglas]

could be mariadb is set; LocalNetworkingOnly=no

https://wiki.koozali.org/MySQL#Access_MariaDB.2FMySQL_using_port_from_the_localhost_and_local_network

[jameswilson]

tcp and/or udp?  3306 used by mysql (or mariadb)
open to where? internet, private network?
server only, server gateway?
we don't know what you have or haven't done
more clues could narrow the hunt for answers

I havnt chnaged the localnetworking option or added any other mysqls.
Server gateway open on tcp on the internet

Discovered ip and port:

81.143.33.107 (25, 80, 143, 443, 465, 556, 587, 993, 3306)

[ReetP]

Pretty sure it shouldn't be open by default.

Setting LocalNetworking is only to use a local port instead of a socket.

It shouldn't enable it publicly.

What does this show?

Code: [Select]

config show mariadb
Also

Code: [Select]

grep 3306 /etc/rc.d/init.d/masq
Also what is 556 and why is it open?

[ReetP]

FWIW I just tested on my v11 box in s/g

nmap -p 3306 www.myserver.com

Starting Nmap 7.92 ( https://nmap.org ) at 2026-03-26 00:23
CET
Nmap scan report for www.reetspetit.com (212.83.164.72)
Host is up (0.035s latency).

PORT     STATE    SERVICE
3306/tcp filtered mysql

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

So it is closed my default.

Need to see the previously requested data.

[jameswilson]

Hi Reetp

Pretty sure it shouldn't be open by default.

Setting LocalNetworking is only to use a local port instead of a socket.

It shouldn't enable it publicly.

What does this show?

Code: [Select]

config show mariadb
Also

Code: [Select]

grep 3306 /etc/rc.d/init.d/masq
Also what is 556 and why is it open?

Code: [Select]

[root@smebox ~]# config show mariadb
mariadb=service
    LocalNetworkingOnly=no
    TCPPort=3306
    access=public
    status=enabled
[root@smebox ~]#

556 is an rtsp port forward to allow my home assitant to see work cameras at home

Code: [Select]

[root@smebox ~]# grep 3306 /etc/rc.d/init.d/masq
    # mariadb: TCPPorts: 3306, AllowHosts: 0.0.0.0/0, DenyHosts:
    /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 3306 \
[root@smebox ~]#


[jameswilson]

I can see that public access is turned on. Im guessing this is what needs to be turned off?

I have added phpmyadmin but dont need access to the database on a port number for anything iirc

[ReetP]

I can see that public access is turned on. Im guessing this is what needs to be turned off?

Absolutely. Immediately. That is non standard and self-inflicted.

[jameswilson]

Absolutely. Immediately. That is non standard and self-inflicted.

I wonder if this was restored from the backup / restore and i enabled this on the previous server without understanding what i was doing back then?

Is the command needed this

Code: [Select]

config set mariadb service access private status enabled TCPPort 3306


[ReetP]

I wonder if this was restored from the backup / restore and i enabled this on the previous server without understanding what i was doing back then?

Sounds about right 

Just this either - set it private or remove the key altogether. If the firewall template sees it public it will open a port.

Code: [Select]

config setprop mariadb access private

or

Code: [Select]

config delprop mariadb access

And then

Code: [Select]

signal-event remoteaccess-update

Argument to be had that it should have a TCPPort property, and need both 'public' AND 'port' correctly set to be open - some may have an obscure reason for doing so.

[jameswilson]

Super Thankyou very Much!

[ReetP]

Super Thankyou very Much!

NP - note the slight modification I made above. Remove the incorrect word 'service'

Don't do it again

[Jean-Philippe Pialasse]

default is no network port is used.
default is TCPPort empty
default is access empty meaning localhost only

 
so default is only localhost unix socket used.
so you both enabled usage of port and set public access at one point. 

config delprop mariadb TCPPort access

unless you know you have something only able to access with tcp port to mysql and unable to access to unix socket, you should also do

config setprop mariadb LocalNetworkingOnly yes

the
signal-event smeserver-mysql-update

[jameswilson]

I obviously did it on the old server and that setting was restored from the backup

Is there any way to check if any settings are different from default?

[Jean-Philippe Pialasse]

no easy way. 
but it would be a nice nfr for audittools

[jameswilson]

ok thanks

[ReetP]

no easy way. 
but it would be a nice nfr for audittools

ok thanks

You can open one.....