When viewing my website from port 3306, I see some weird MySQL info

I see two options here:

Local Access Only

Configure MySQL Server to only listen on TCP port 3306 on 127.0.0.1 (localhost). This way an internal web server can still communicate with the database server.

Directly connecting to the database is server is no longer available but can be solved by SSH tunneling (as described in mk444's answer)

This can be achieved by editing the my.cnf file. Search for "listen", most likely it is set to something like:

listen 0.0.0.0:3306

This should be changed to:

listen 127.0.0.1:3306

Don't forget to restart the MySQL server before changes take effect.

Restricted Remote Access

Another option is to keep the configuration the way it is and use iptables to block all incoming connections to TCP port 3306 with the exception of your (home) IP address.

Both options will work, however, from experience I know that often iptables-persistent is not used. Meaning that if you web / database server reboots the iptables rule set gets lost and TCP port 3306 is widely open for the outside world again.


If it's not required then definitely remove that service. It's a possible entry point for attackers and you can see the MySQL version number. The first thing that comes to mind is performing some Nmap scans, vuln-scans, mysql-brute, etc...

If you need to use this service there are some good answers in this serverfault post: https://serverfault.com/questions/283172/is-it-safe-to-open-port-3306-in-firewall-for-external-mysql-connection

An alternative solution is to create a ssh tunnel from your machine so that you can connect locally. Here's a good article on how you can create a ssh tunnel with MySQL. http://www.howtogeek.com/howto/ubuntu/access-your-mysql-server-remotely-over-ssh/