Port 3306 · MySQL

What runs on port 3306

MySQL is one of the most widely deployed open-source relational databases. Its default network protocol listens on TCP/3306. The wire protocol allows authentication followed by arbitrary SQL execution against any database the authenticated user can reach.

Why public exposure is dangerous

An exposed MySQL port lets an attacker enumerate users, brute-force passwords, exploit unpatched authentication CVEs (Shodan regularly indexes hundreds of thousands of MySQL servers reachable on the public internet, many running outdated builds), and exfiltrate or destroy every database on the host. Several large breaches have been traced to exposed MySQL instances with weak `root` passwords.

How to lock it down

Bind MySQL to `127.0.0.1` (loopback) or to a private-network interface only — set `bind-address = 127.0.0.1` in `my.cnf`. If applications outside the host need access, route through an SSH tunnel, a VPN, or a private VPC. Use a host firewall (`ufw deny 3306`, `iptables -A INPUT -p tcp --dport 3306 -j DROP`) as belt-and-suspenders. Always require strong passwords on every account and disable `root@'%'` (only `root@localhost` should exist).

When public exposure is legitimate

Almost never. Some managed-database providers expose MySQL on the internet behind IP allowlists; if that is your model, confirm the allowlist is in effect and not bypassed during maintenance.

Other ports DomainCare scans

• :5432 PostgreSQL — PostgreSQL listens on port 5432 by default. Public exposure is a critical data-leak risk equivalent to MySQL.
• :6379 Redis — Redis listens on port 6379 by default. Public exposure historically allows unauthenticated arbitrary code execution.
• :27017 MongoDB — MongoDB listens on port 27017 by default. Historically responsible for the largest single data-leak class — pre-3.0 builds shipped without authentication enabled.
• :9200 Elasticsearch — Elasticsearch listens on port 9200 by default. Public exposure exposes the entire indexed dataset to any internet user.