Locking Down MySQL to Local Connections Only
Goal: Stop MySQL/MariaDB from listening on all network interfaces, so it only accepts connections from the local server (127.0.0.1). This removes the WHM Security Advisor warning:
“The MySQL service is currently configured to listen on all interfaces: (bind-address=*)”
1️⃣ Check Current Bind Status
Before making changes, see what IP MySQL is bound to:
ss -ltnp | grep 3306- If you see
0.0.0.0:3306or your server’s public IP → it’s open to the world. - If you see
127.0.0.1:3306→ it’s already local‑only.
2️⃣ Edit the MySQL Config
Open the main config file:
nano /etc/my.cnfInside the [mysqld] section, add:
bind-address = 127.0.0.1Example final block:
[mysqld]
log-error=/var/lib/mysql/116-202-212-152.cprapid.com.err
performance-schema=0
innodb_buffer_pool_size=134217728
max_allowed_packet=268435456
open_files_limit=40000
innodb_file_per_table=1
plugin-load-add=auth_socket.so
unix_socket=OFF
bind-address = 127.0.0.1Save and exit (Ctrl+O, Enter, Ctrl+X).
3️⃣ Restart MySQL/MariaDB
systemctl restart mysqld(On some systems it may be systemctl restart mariadb)
4️⃣ Verify the Change
Run:
ss -ltnp | grep 3306Expected output:
LISTEN 0 80 127.0.0.1:3306 ...✅ No 0.0.0.0 means remote access is blocked at the network layer.
5️⃣ Test Local Login
mysql -u root -p6️⃣ Optional: Test Remote Block
From another machine:
mysql -h your.server.ip -u root -pYou should get:
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘your.server.ip’
🔄 Rollback Plan (If Remote Access Needed Later)
- Edit
/etc/my.cnfagain. - Remove or comment out the
bind-addressline:
# bind-address = 127.0.0.1- Restart MySQL:
systemctl restart mysqld- Use firewall rules to allow only trusted IPs.
📌 Notes for Future You
- WHM’s Security Advisor will re-check automatically and clear the warning.
- This change is update-safe — MySQL upgrades won’t overwrite
/etc/my.cnf.
- If you ever migrate, remember to reapply this setting before going live.
📋 WHM Security Advisor — MySQL Bind Address Warning
| State | WHM Message (verbatim) | Meaning |
|---|---|---|
| Before fix | The MySQL service is currently configured to listen on all interfaces: (bind-address=*) | MySQL was accepting connections on all network interfaces, which can be a security risk if remote access isn’t required. |
| After fix | MySQL is listening only on a local address. | MySQL now only accepts connections from localhost (127.0.0.1), closing off external access unless explicitly allowed. |
✅ Fix Confirmed — MySQL Now Locked Down
Your server’s MySQL service is now listening only on localhost, eliminating unnecessary external exposure. This change reduces attack surface, improves security posture, and aligns with MegaHost’s best‑practice hardening standards.
We’ve verified the change in WHM Security Advisor — the previous warning is gone, replaced with a clean bill of health. You’re now running with a tighter, safer configuration, without affecting your site’s normal operation.
