Add Remote MySQL IP Addresses in CSF

by dt on September 5th, 2009

CSF is a free linux firewall that works great with cPanel. (Actually, is more than a firewall, but I want to talk about something else).

cPanel have an option for users to define IP addresses from where they want to remote access MySQL on hosting server. In order to work, server should have MySQL port (3306) open in firewall. In CSF, you just add 3306 in /etc/csf/csf.conf  TCP_IN list.

Recently, I found something that looks like a denial-of-service attack on MySQL on several servers so I decide to block the external MySQL port (3306) and only allow connections from clients, based on their settings from cPanel.

This is an one line bash script that search for IP addresses configured by clients in their own cPanel for MySQl remote access and create a set of rules for CSF:

mysql mysql -e "select Host,User from user where Host!='localhost' group by Host;" | awk {'print "tcp:in:d=3306:s=" $1 "\t# " $2'} | sed "s/\%//g" | egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | grep -v "" | sort | uniq

You have to mannual add the resulting lines in /etc/csf/csf.allow and restart csf.