MySQL security - Githubissues

EyesOfNetworkCommunity / eonweb

EyesOfNetwork web interface

8 stars 12 forks source link

MySQL security #62

Closed IPv777 closed 3 years ago

IPv777 commented 4 years ago

Hello,

for a security reasons :

could you change the default password of MySQL database which is actually root66 ?
the MySQL server is actually listening on 0.0.0.0, could it be possible to listen only on loopback interface ?

Thanks

davoult commented 4 years ago

Hello,

By default all SQL Users can only connect from 127.0.0.1:

MariaDB [(none)]> SELECT Host,User FROM mysql.user;
+-----------------------+-------------+
| Host                  | User        |
+-----------------------+-------------+
| 127.0.0.1             | root        |
| ::1                   | root        |
| localhost             |             |
| localhost             | cacti       |
| localhost             | eonweb      |
| localhost             | gedadmin    |
| localhost             | lilac       |
| localhost             | notifierSQL |
| localhost             | root        |
| localhost.localdomain |             |
| localhost.localdomain | root        |
+-----------------------+-------------+
11 rows in set (0.00 sec)

IPv777 commented 4 years ago

Ok for the weak password, It can be ok if only localhost can connect with it.

But why listen on 0.0.0.0:3306 ? It's an unnecessary risk 🤔

Could you consider to add bind-address = 127.0.0.1 in the [mysqld] block of /etc/my.cnf ? then service mariadb restart and netstat -tulpn | grep LISTEN to check. I tested on my EoN : it's ok

Julien1498 commented 3 years ago

Thanks for your reply, it will be added in a next update.