I realized something strange, or something I just do not understand. I noticed in my journal someone was trying to auth to mysql. I did nmap T4 to my server and can see that mysql is open. A Firewalld read says these things are not open by default and I didn't open it myself.
nmap T4
PORT STATE SERVICE
17/tcp filtered qotd
19/tcp filtered chargen
22/tcp open ssh
25/tcp filtered smtp
70/tcp filtered gopher
80/tcp open http
82/tcp filtered xfer
139/tcp filtered netbios-ssn
143/tcp open imap
366/tcp filtered odmr
389/tcp filtered ldap
407/tcp filtered timbuktu
416/tcp filtered silverplatter
427/tcp filtered svrloc
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
512/tcp filtered exec
543/tcp filtered klogin
587/tcp open submission
631/tcp filtered ipp
648/tcp filtered rrp
668/tcp filtered mecomm
726/tcp filtered unknown
749/tcp filtered kerberos-adm
912/tcp filtered apex-mesh
3000/tcp open ppp
**3306/tcp open mysql**
5000/tcp open upnp
5222/tcp open xmpp-client
5280/tcp open xmpp-bosh
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp
When I do firewall-cmd --list-all
[root@virtual ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ftp http https imap imaps pop3 pop3s smtp smtps ssh
ports: 587/tcp 53/tcp 20/tcp 2222/tcp 10000-10100/tcp 20000/tcp 1025-65535/tcp 53/udp 5222/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="54.36.148.123" drop
rule family="ipv4" source address="54.36.148.0/22" drop
rule family="ipv4" source address="5.188.84.0/22" reject
rule family="ipv4" source address="217.171.146.0/23" reject
rule family="ipv4" source address="198.12.120.0/25" reject
rule family="ipv4" source address="185.143.172.0/22" reject
rule family="ipv4" source address="176.128.0.0/11" reject
[root@virtual ~]#
firewall-cmd --get-active-zones
(I assume I didn't really have to do this since firewall-cmd --list-all
should show me all that's active right?)
public
interfaces: eth0
Does anyone have any idea why mysql be completely open like this? Could a package or APP I install have turned this on? How is it not listed in my active public?
I am a little nervous about the proper command to use to close this as public. localhost I use on all my apps but I do not want to share public. Usually I would have done:
firewall-cmd --zone=public --remove-service=mysql --permanent
but since its not in public this does not work
should I do:
firewall-cmd --remove-port=3306/tcp
This should pickup the default zone and close down the port, but I'm afraid it'll close for localhost
Anything else anyone sees wrong here please feel free to comment.
Thank you
My env Centos7 with Virtualmin