Is it really possible for a hacker to break into my DB or Steal My Traffic?

It more like a worst practice than a best practice: run mysql with remote access at port 3306 at IP

but it nothing ever happens because in reality, instead rumor, no one can touch it.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

To simplify, if you need remote database access, you should use a VPN. There are several types. I recommend Tinc or OpenVPN. If you really really can’t use a VPN, do not open the DB to the internet. Allow connections from set IP addresses in IPTables for that port. That way traffic to the DB is handled at the kernel level. Also, you should enabled/setup MySQL/MariaDB’s SSL to encrypt traffic between the database.

@jtittle’s answer was better than this one though. Heart :)


Opening up Port 3306 to the public is, indeed, asking for trouble. It’s another port being exposed and it’s another port that can be attacked (port 3306 is the default MySQL port - it’s well know and it will be a port listed in any automated attack).

You can, however, use a firewall to limit who can connect (i.e. limit connections from only your local IP and your web server(s)), though ultimately, you should simply use a tool, such as phpMyAdmin or Adminer to manage database access (and limit access to this as well – don’t rely on basic password authentication through the script, use .htaccess to only allow your IP and then setup a username and password).

Even better, don’t use a public IP or localhost to connect to MySQL, use a Private Network IP (which would be provided by DigitalOcean). You’ll still need to setup firewall restrictions on the Private IP as well, though.

Ideally, you want to setup your firewall to deny all connections by default and then add rules that allow certain ports through, thus resulting in all connections being denied except to those which you specifically allow.

The most common ports you’ll need to keep open are:

80 - TCP - for HTTP 443 - TCP - for HTTPS 22 - TCP - for SSH (swap 22 for your SSH port number if you’ve modified it) 53 - UDP - for DNS 53 - TCP - for DNS if you’re running Bind (i.e. a DNS server)

This excludes mail server ports. I didn’t list those simply because they often vary.

It is possible for a hacker to break into systems. Phones, emails and database. I needed the service of a hacker a few months ago. I needed to hack an email to get information that will in turn save my job. I was introduced to i-hack on a forum and he helped me at a good fee. His info is i-hack AT tutanota DOT com He is also very good at a lot of other hack related stuff. He is a professional