The correct way to lock down external access to MySQL is with the bind-address directive in /etc/mysql.cnf, as described by daisy. You can't usefully stop someone with a valid MySQL account from logging in locally (but note that a UNIX account does not imply a MySQL account; they are distinct from each other).

I'm going to answer the other part of your question:

I assume I should lock some extra ports besides 3306. Is that correct?

 

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,9000"

At the moment your csf.conf file sets your firewall to allow in so many services it's hardly worth using.

• 20 - FTP data (why are you allowing FTP over the Internet at all?)
• 21 - FTP command (ditto)
• 22 - SSH (this is good but ensure your accounts are locked down tight; consider disabling all non-certificate logins)
• 25 - SMTP inbound (are you really running an incoming mail server?)
• 53 - DNS (are you really running public DNS?)
• 80 - HTTP (are you running a web server?)
• 110 - POP3 (obsolete protocol; if you are running a mail server consider IMAPS on 993 instead)
• 143 - IMAP (insecure; use IMAPS on 993 instead)
• 443 - HTTPS (are you running a web server?)
• 465 - SMTPS (are you really running a public mail server?)
• 587 - SMTP-MSA (ditto)
• 993 - IMAPS (only if you are receiving mail messages on this server for reading)
• 995 POP3S (secure but still obsolete)
• 9000 - who knows

If you don't offer a service then don't allow it in. POP3, IMAP and POP3S should all be switched off in favour of IMAPS (if at all). Don't offer SMTP* unless you really are running a mail server that needs to receive emails from the Internet. Don't run FTP. Use SSH for file transfer instead.

If you want to use MySQL Workbench on a different system you can still have MySQL set to permit only local connections by running a forwarder across ssh. I do this for a couple of my servers:

ssh -nf -L localhost:3306:localhost:3306 ADDRESS_OF_REMOTE_SYSTEM sleep 60
# Using Workbench, now connect to MySQL seemingly on the local machine

The correct way to lock down external access to MySQL is with the bind-address directive in /etc/mysql.cnf, as described by daisy. You can't usefully stop someone with a valid MySQL account from logging in locally (but note that a UNIX account does not imply a MySQL account; they are distinct from each other).

I'm going to answer the other part of your question:

I assume I should lock some extra ports besides 3306. Is that correct?

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,9000"

At the moment your csf.conf file sets your firewall to allow in so many services it's hardly worth using.

• 20 - FTP data (why are you allowing FTP over the Internet at all?)
• 21 - FTP command (ditto)
• 22 - SSH (this is good but ensure your accounts are locked down tight; consider disabling all non-certificate logins)
• 25 - SMTP inbound (are you really running an incoming mail server?)
• 53 - DNS (are you really running public DNS?)
• 80 - HTTP (are you running a web server?)
• 110 - POP3 (obsolete protocol; if you are running a mail server consider IMAPS on 993 instead)
• 143 - IMAP (insecure; use IMAPS on 993 instead)
• 443 - HTTPS (are you running a web server?)
• 465 - SMTPS (are you really running a public mail server?)
• 587 - SMTP-MSA (ditto)
• 993 - IMAPS (only if you are receiving mail messages on this server for reading)
• 995 POP3S (secure but still obsolete)
• 9000 - who knows

If you don't offer a service then don't allow it in. POP3, IMAP and POP3S should all be switched off in favour of IMAPS (if at all). Don't offer SMTP* unless you really are running a mail server that needs to receive emails from the Internet. Don't run FTP. Use SSH for file transfer instead.

If you want to use MySQL Workbench on a different system you can still have MySQL set to permit only local connections by running a forwarder across ssh. I do this for a couple of my servers:

ssh -nf -L localhost:3306:localhost:3306 ADDRESS_OF_REMOTE_SYSTEM sleep 60
# Using Workbench, now connect to MySQL seemingly on the local machine

The correct way to lock down external access to MySQL is with the bind-address directive in /etc/mysql.cnf, as described by daisy. You can't usefully stop someone with a valid MySQL account from logging in locally (but note that a UNIX account does not imply a MySQL account; they are distinct from each other).

I'm going to answer the other part of your question:

I assume I should lock some extra ports besides 3306. Is that correct?

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,9000"

At the moment your csf.conf file sets your firewall to allow in so many services it's hardly worth using.

• 20 - FTP data (why are you allowing FTP over the Internet at all?)
• 21 - FTP command (ditto)
• 22 - SSH (this is good but ensure your accounts are locked down tight)
• 25 - SMTP inbound (are you really running an incoming mail server?)
• 53 - DNS (are you really running public DNS?)
• 80 - HTTP (are you running a web server?)
• 110 - POP3 (obsolete protocol; if you are running a mail server consider IMAPS on 993 instead)
• 143 - IMAP (insecure; use IMAPS on 993 instead)
• 443 - HTTPS (are you running a web server?)
• 465 - SMTPS (are you really running a public mail server?)
• 587 - SMTP-MSA (ditto)
• 993 - IMAPS (only if you are receiving mail messages on this server for reading)
• 995 POP3S (secure but still obsolete)
• 9000 - who knows

If you don't offer a service then don't allow it in. POP3, IMAP and POP3S should all be switched off in favour of IMAPS (if at all). Don't offer SMTP* unless you really are running a mail server that needs to receive emails from the Internet. Don't run FTP. Use SSH for file transfer instead.

The correct way to lock down external access to MySQL is with the bind-address directive in /etc/mysql.cnf, as described by daisy. You can't usefully stop someone with a valid MySQL account from logging in locally (but note that a UNIX account does not imply a MySQL account; they are distinct from each other).

I'm going to answer the other part of your question:

I assume I should lock some extra ports besides 3306. Is that correct?

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,9000"

At the moment your csf.conf file sets your firewall to allow in so many services it's hardly worth using.

• 20 - FTP data (why are you allowing FTP over the Internet at all?)
• 21 - FTP command (ditto)
• 22 - SSH (this is good but ensure your accounts are locked down tight; consider disabling all non-certificate logins)
• 25 - SMTP inbound (are you really running an incoming mail server?)
• 53 - DNS (are you really running public DNS?)
• 80 - HTTP (are you running a web server?)
• 110 - POP3 (obsolete protocol; if you are running a mail server consider IMAPS on 993 instead)
• 143 - IMAP (insecure; use IMAPS on 993 instead)
• 443 - HTTPS (are you running a web server?)
• 465 - SMTPS (are you really running a public mail server?)
• 587 - SMTP-MSA (ditto)
• 993 - IMAPS (only if you are receiving mail messages on this server for reading)
• 995 POP3S (secure but still obsolete)
• 9000 - who knows

If you don't offer a service then don't allow it in. POP3, IMAP and POP3S should all be switched off in favour of IMAPS (if at all). Don't offer SMTP* unless you really are running a mail server that needs to receive emails from the Internet. Don't run FTP. Use SSH for file transfer instead.

If you want to use MySQL Workbench on a different system you can still have MySQL set to permit only local connections by running a forwarder across ssh. I do this for a couple of my servers:

ssh -nf -L localhost:3306:localhost:3306 ADDRESS_OF_REMOTE_SYSTEM sleep 60
# Using Workbench, now connect to MySQL seemingly on the local machine