2.9 Ensure MySQL is Bound to an IP Address

Information

By default, the MySQL server accepts TCP/IP connections from MySQL user accounts on all server host IPv6 and IPv4 interfaces. You can make this configuration more restrictive by setting the bind_address configuration option to a specific IPv4 or IPv6 address so that the server only accepts TCP/IP connections on that address.

Rationale:

Limiting the IP address provides additional controls and restrictions on how client applications can connect to MySQL. If not configured to a specific IP all IPs for this server can be used to connect to MySQL.

Solution

For example, to have the MySQL server only accept connections on a specific IPv4 address, add an entry similar to this under the [mysqld] option group in the MySQL /etc/my.cnf:

bind_address=192.0.2.24

In this case, clients can connect to the server using --host=192.0.2.24. Connections on other server host addresses are not permitted.

Default Value:

*

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: PLANNING, SYSTEM AND SERVICES ACQUISITION

References: 800-53|PL-8, 800-53|SA-8

Plugin: MySQLDB

Control ID: ce543741ea00735375eb7b813de630b233e3ca0d1f2ef45f22ff642d9d8b49c6