What it is
MySQL servers listen on TCP port 3306 so applications can query data stores. In production environments that port should only be reachable from trusted application tiers or VPN segments. When 3306 is exposed directly to the internet, anyone can probe the database engine, fingerprint the version, enumerate schemas, or attempt authentication. Because MySQL frequently stores customer records, transactions, and proprietary data, an exposed listener becomes a high-value foothold.
Why it matters
An openly reachable MySQL port lets attackers interact with your database engine in real time. Even when authentication is enabled, weak or reused passwords, default accounts, and unpatched CVEs make compromise likely. Successful brute force or exploit attempts provide access to raw tables, stored procedures, or the underlying host. Breaches that start with exposed databases often cascade into ransomware, data theft, and compliance violations because backups, PII, and API secrets sit in the same datastore.
How to reduce risk
- Restrict port 3306 to internal networks, private peers, or database proxies.
- Enforce strong, rotated credentials (long passwords or managed identities) and disable unused accounts.
- Require TLS/SSL for MySQL connections and reject plaintext authentication.
- Keep the MySQL engine patched and remove outdated plugins or sample databases.
- Use managed database services or firewalls that apply default deny rules and log connection attempts.