Change port MySQL server..

techguy

Hey,

I've just lost the best part of two of my life that I will never get back :mad:

I was fiddling around with wamp server trying to change the default port for MySQL from 3306..

Anytime I change My.ini port to something other than 3306
And also change the clients connection string to the other port everything breaks..firewall is set ok, but its even a local problem(can't connect to mysql from command line)

I usually use the instance configuration wizard but with wampserver the install i different and it can't find my-template.cnf (does anybody know where this is?)

It's not the end of the world but on my real server the port is different which means if I can't change the dev server port I will have to edit code when putting apps live..

Thanks for any advice..

nobodythere

To start with the simplest of things, you did take the "#" out of the port=3306 line yes?

Also: http://bitnami.org/forums/forums/10/topics/724

techguy

The line wasn't commented in the first place..

I find this pretty odd because all works well when it's at 3306 but when I change it to something else it stops working, meaning i'm editing the correct field by the new port isn't working.

My firewall is set to allow the new port through.

Is there actually a need to change the port for security reasons? I was just thinking this would make things more secure, will it?? Am I just foolnig around here?!

nobodythere

The port shouldn't be open to the outside world as passwords can be bruteforced then. No need to change the number though

techguy

That makes sense when using it for web applications when the webserver local too but what about when I make a Java program to connect to the DB, I just have the mysql port forwarded on my router..is this bad? What other ways can I do it?

nobodythere

Do you mean setting up port forwarding so you can access it from outside your local network? You can access it from within the local network without port forwarding.

The reason they tell you to change the port is that there is a possibility of someone trying to bruteforce your user/pass or exploit vulnerabilities in MySQL. If your MySQL is reasonably up to date, you don't have the root account enabled and your password isn't something dumb like '12345' you have nothing to worry about It's good experience learning to secure it anyway.

techguy

Yes I mean to be able to access it from the internet.

So let me get this straight, keep mysql up to date and disable root account to keep more secure?

Thats interesting because I use root for everything..! Should I just drop root and create another user with all priveleges, the same as the root and just use that instead?

Whats to stop the hacker from getting a list of users (there won't be many on my server) and trying them..? Is there a way to limit the number of password attempts in one hour? like queries per hour?

Would you recommend changing the port number or not? Does it not add a another layer of security?

EDIT: Should I allow my phpmyadmin site be accessed from the internet or just the local machine or lan? I noticed it was restricted to local computer on WAMPserver

I seem to be asking a lot of newbie questions here regarding security, i'm going to go google some guides now. Any links would be appreciated, thanks.

Creamy Goodness

It's good practice to use root account be it for mysql or a unix user account to do root only activities ie. Add/delete user. In mysql - or any db really - it's good to have a new user for every application you create and limit their access purely to the database connected to that application.

Only allow your phpmyadmin login page be accessed from the web if you need it to be if you don't need to access it from outside the network then don't.

techguy

Creamy Goodness wrote: »

It's good practice to use root account be it for mysql or a unix user account to do root only activities ie. Add/delete user. In mysql - or any db really - it's good to have a new user for every application you create and limit their access purely to the database connected to that application.

Only allow your phpmyadmin login page be accessed from the web if you need it to be if you don't need to access it from outside the network then don't.

I'm going to try and go along those lines so..thanks!

nobodythere

techguy wrote: »

Yes I mean to be able to access it from the internet.

So let me get this straight, keep mysql up to date and disable root account to keep more secure?

I'd take a fair guess that if someone was going to try and brute-force your server they'd start with root/root root/admin root/12345 etc. A brute forcer is easy to cook up: http://www.securiteam.com/tools/5YP0H0A40O.html . You can enable phpMyAdmin if you want, though if you have the MySQL port open you can use a free client called MySQL-Front that may be more to your liking.

Note that the MySQL server isn't accessed directly by the user, only by the PHP interpreter, so it doesn't need to be visible from outside for your website to work. Just in case that's what you were thinking.

Thats interesting because I use root for everything..! Should I just drop root and create another user with all priveleges, the same as the root and just use that instead?

Whats to stop the hacker from getting a list of users (there won't be many on my server) and trying them..? Is there a way to limit the number of password attempts in one hour? like queries per hour?

Your application can be vulnerable to SQL injection attacks, get hacked as root and the damage is much worse, get hacked as a normal user and you're alright.

AFAIK there's no easy way to get a list of users on the server if you're an attacker, unless perhaps you have an account on the server.

Would you recommend changing the port number or not? Does it not add a another layer of security?

In a way it may defend against bots scanning for vulnerable versions of MySQL. For a real user, a simple port scan with nmap will get your MySQL port anyway. Long story short: Very unlikely it will make a difference to your security

http://www.securityfocus.com/infocus/1726
http://www.devshed.com/c/a/MySQL/MySQL-Security-Overview/