MySQL: Is it a security risk to deactivate the setting "bind-address"?
The impact of commenting out the setting depends on the value bind-address
was set to before.
Commenting out a setting is the same as setting it to the default value. The manual will show you the default value: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_bind-address
bind-address
Default Value:*
The manual also explains what that setting means and how it differs from using 0.0.0.0 :
If the address is
*
, the server accepts TCP/IP connections on all server host IPv4 interfaces, and, if the server host supports IPv6, on all IPv6 interfaces. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default. If the option specifies a list of multiple values, this value is not permitted.If the address is
0.0.0.0
, the server accepts TCP/IP connections on all server host IPv4 interfaces. If the option specifies a list of multiple values, this value is not permitted.
If your server is not secured with a firewall that restricts access to TCP port 3306 (the default port for MySQL) then using either * or 0.0.0.0 will accept incoming connections on all IPv4 addresses the server is configured with, as well as TCP connections on the loopback address 127.0.0.1/8 and * will additionally allow all incoming IPv6 traffic.
In general it is considered good security practice to only configure the minimum network access for services.
Both * and 0.0.0.0 are probably overly permissive in many situations, but for instance on a system that should allow remote MySQL access with a single interface/ip-address (i.e. 192.0.2.1) there would be no effective security difference between bind-address = 192.0.2.1
or bind-address = 0.0.0.0
or bind-address = *
On servers that don't need to allow remote MySQL access (the typical LAMP server) bind-address = ::ffff:127.0.0.1
would be recommended.