4.1. Securing MySQL

Because you are using MySQL to authenticate users, you need to restrict network access to port 3306.

The easiest way is to only bind MySQL to the loopback interface 127.0.0.1. This makes sure nobody can connect to your MySQL daemon via the network.

Edit /etc/init.d/mysql.server and change line 107 as following:

Original line:

$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file&

Changed line:

$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file \
--bind-address=127.0.0.1&

Restart your MySQL daemon by issuing the command/etc/init.d/mysql.server start

To ensure the configuration change was successful, netstat -an|grep LISTEN. The Output should be looking similar to this:

bond:~ # netstat -an|grep LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN

4.2. Setting up rinetd

This step is only necessary if you run the MySQL sever on host other than the mail server. This allows you to securely connect from another host since access is allowed only from pre-defined IP addresses.

The example used is from the view of the host serving the MySQL database. Lets assume your mail server has the IP 192.168.0.100 and the MySQL host has 192.168.0.200

Edit /etc/rinetd.conf and add:

192.168.0.200 3306 127.0.0.1 3306
allow 192.168.0.100

This means: The MySQL host is listening on 192.168.0.200 port 3306. If 192.168.0.100 attempts a connection, it is forwarded to 127.0.0.1:3306. All other hosts are rejected.