If you restrict access from remote hosts to your usernames and passwords then someone won't be able to access the database externally.

如果您将远程主机的访问限制为您的用户名和密码，那么有人将无法从外部访问数据库。

You could also configure your firewall to only allow traffic to 3306 (MySQL Default Port) from the localhost machine.

您还可以将防火墙配置为仅允许从本地主机到 3306（MySQL 默认端口）的流量。

Update

更新

To setup your user so they can only access through LOCALHOST use:

要设置您的用户以便他们只能通过 LOCALHOST 访问，请使用：

GRANT ALL PRIVILEGES ON *.* TO db_user @'localhost' IDENTIFIED BY 'db_passwd';
GRANT ALL PRIVILEGES ON *.* TO db_user @'127.0.0.1' IDENTIFIED BY 'db_passwd';

Also, bind your MySQL server to the local address. You can do this by editing the [mysqld]section of my.cnf:

此外，将您的 MySQL 服务器绑定到本地地址。您可以通过编辑以下[mysqld]部分来做到这一点my.cnf：

[mysqld]
bind-address = 127.0.0.1

This is an older question that I stumbled across, but if Darkeden had phpMyAdmin or similar running, anyone can log in to that using valid MySQL credentials.

这是我偶然发现的一个较旧的问题，但如果 Darkeden 运行了 phpMyAdmin 或类似的程序，则任何人都可以使用有效的 MySQL 凭据登录该问题。

If it was compromised, then in addition to restricting connections, change all passwords.

如果它被泄露，那么除了限制连接之外，还要更改所有密码。

you can block direct access to MySQL at the firewall or within MySQL itself, but the most likely way you'd be hacked is through an insecure web application - in that situation the attacker would most likely be able to read your database login and connect from the server.

您可以在防火墙或 MySQL 内部阻止对 MySQL 的直接访问，但最有可能被黑客入侵的方式是通过不安全的 Web 应用程序 - 在这种情况下，攻击者很可能能够读取您的数据库登录信息并从中进行连接服务器。

So keep your applications secure - keep everything updated, don't allow file uploads, use suPHP if you have multiple accounts etc.

因此，请确保您的应用程序安全 - 保持所有内容更新，不允许上传文件，如果您有多个帐户，请使用 suPHP 等。

If you restrict your mysql application follow this steps:

如果您限制您的 mysql 应用程序，请按照以下步骤操作：

1.You could just block port 3306. If the site is on the same server then it will still be able to access the database using localhost as the hostname.

1.您可以只阻止端口 3306。如果站点在同一台服务器上，那么它仍然可以使用 localhost 作为主机名访问数据库。

2.Just add "bind-address = 127.0.0.1" to the "[mysqld]" section of their my.cnf file to restrict access to localhost only.

2. 只需将“bind-address = 127.0.0.1”添加到他们的 my.cnf 文件的“[mysqld]”部分以限制仅访问本地主机。

Most of people use this type of restriction.

大多数人使用这种类型的限制。

I didn't see an answer that answered his (adjusted) question - he has locked it to localhost and the attacker is still getting in.

我没有看到回答他（调整后的）问题的答案 - 他已将其锁定到 localhost 而攻击者仍在进入。

If you have truly restricted itto local host (check using netstat -an | egrep 3306 to check it is listening to 127.0.0.1 not 0.0.0.0), thenthe only way of accessing it is to originate a connection from that local host.

如果您确实将其限制为本地主机（使用 netstat -an | egrep 3306 检查它是否正在侦听 127.0.0.1 而不是 0.0.0.0）， 那么访问它的唯一方法是从该本地主机发起连接。

Initial steps to take:

初步采取的步骤：

1. probably rebuild a replacement system from scratch and hardening it before you make it publicly accessible (having a repeatable recipe eg using ansible will help as you may have to go through a few iterations to learn how he gets in) Check with reputable security scanners what you obvious holes are,
2. Get help from a security professional (depends if you want to spend $ or time and frustration to fix)
3. Apply security patches,
4. Remove services you don't need,
5. restrict the database access to only those programs that need it,
6. redo all your passwords,
7. check for installed root kits, and other viruses,
8. secure your server if at your own office and train staff in handling social engineering,
9. use a service that will monitor and filter the requests coming through and deny direct access (eg use cloudflare as a cheep starting point)
10. check for keyboard loggers (physical and software and other viruses) on all machines used to access the server),
11. check for physical means of logging your keystrokes in accessing your server (eg web cam style used in atm), the more exotic include sound (https://en.wikipedia.org/wiki/Acoustic_cryptanalysis), typing with a nearby wifi access point (eg https://www.schneier.com/blog/archives/2016/08/keystroke_recog.html)
12. Add an audit trail and monitor database activity to work out how he is getting through, but at least you need to do all the obvious securing first because otherwise he will just hop from one security hole to another

1. 可能会从头开始重建替换系统并在您公开访问之前对其进行加固（具有可重复的配方，例如使用 ansible 会有所帮助，因为您可能需要经过几次迭代才能了解他是如何进入的）与信誉良好的安全扫描程序一起检查您的内容明显的漏洞是，
2. 从安全专家那里获得帮助（取决于您是否想花费 $ 或时间和挫折来修复）
3. 应用安全补丁，
4. 删除您不需要的服务，
5. 将数据库访问限制在那些需要它的程序中，
6. 重做所有密码，
7. 检查已安装的根工具包和其他病毒，
8. 如果在您自己的办公室保护您的服务器并培训员工处理社会工程，
9. 使用将监视和过滤通过的请求并拒绝直接访问的服务（例如，使用 cloudflare 作为廉价起点）
10. 检查用于访问服务器的所有机器上的键盘记录器（物理和软件以及其他病毒），
11. 检查在访问服务器时记录击键的物理方式（例如，atm 中使用的网络摄像头样式），更奇特的包括声音（https://en.wikipedia.org/wiki/Acoustic_cryptanalysis），使用附近的 wifi 接入点打字（例如https://www.schneier.com/blog/archives/2016/08/keystroke_recog.html）
12. 添加审计跟踪并监控数据库活动以了解他是如何通过的，但至少您需要先进行所有明显的保护，否则他只会从一个安全漏洞跳到另一个安全漏洞

He could be also getting through using:

他也可以通过使用：

1. accessing via some program you are running (eg a web server) that is externally accessible and has a security hole that allows him to run arbitrary sql commands through its existing database connection - see https://www.w3schools.com/sql/sql_injection.asp

2. tricking some program he has access to from outside to proxy a connection for him to localhost:3306 (eg through a miss-configured network firewall on the machine)

3. tricking some program to run a local program (bash. mysql etc), and from there gaining access to the database - buffer overflows and other specially crafted data is a common issue to running arbitrary code

4. man in the middle attack on a connection that has legitimate access

5. bugs in a program that is automatically or manually processing data from outside, eg email, processing of postscript/pdf/any document with scripting processing - even viewing a text file can be dangerous - see https://www.proteansec.com/linux/blast-past-executing-code-terminal-emulators-via-escape-sequences/

6. social engineering a way through getting people to give you access

7. managing to get a hardware device attached to a computer that has access (how many people will pick up a "memory stick" lying in the work car park and check it out instead its a "programmable keyboard", and ALL computers trust keyboards!)

8. and then many more all the other sorts of methods I don't know, but those that are involved share ...

1. 通过您正在运行的某些程序（例如 Web 服务器）进行访问，该程序可从外部访问并具有安全漏洞，允许他通过现有的数据库连接运行任意 sql 命令 - 请参阅https://www.w3schools.com/sql/sql_injection .asp

2. 欺骗一些他可以从外部访问的程序来代理他到 localhost:3306 的连接（例如，通过机器上配置错误的网络防火墙）

3. 欺骗某些程序运行本地程序（bash.mysql 等），并从那里访问数据库 - 缓冲区溢出和其他特制数据是运行任意代码的常见问题

4. 中间人攻击具有合法访问权限的连接

5. 自动或手动处理外部数据的程序中的错误，例如电子邮件，处理 postscript/pdf/任何带有脚本处理的文档 - 即使查看文本文件也可能是危险的 - 请参阅https://www.proteansec.com/linux /blast-past-executing-code-terminal-emulators-via-escape-sequences/

6. 社会工程学通过让人们为您提供访问权限的一种方式

7. 设法将硬件设备连接到可以访问的计算机上（有多少人会拿起位于工作停车场的“记忆棒”并检查它而不是它的“可编程键盘”，并且所有计算机都信任键盘！）

8. 然后还有更多我不知道的所有其他类型的方法，但那些涉及的方法共享......

Just remember that you need to have practical security, I think xkcd says it just right: https://xkcd.com/538/

只要记住你需要有实际的安全性，我认为 xkcd 说的恰到好处：https: //xkcd.com/538/