Port 3306: MySQL Database Server

When your web application checks a password, it asks a database. When it loads a shopping cart, displays a profile, or records a transaction—database. That asking happens through port 3306, the default gateway to MySQL.

This is happening constantly. Not occasionally, not when users click buttons—constantly. Background jobs, health checks, session validation, cache warming. Your application talks to its database the way you breathe: automatically, continuously, without thinking about it. Port 3306 carries all of it.

What Happens on Port 3306

MySQL is a relational database management system. It stores data in tables, accepts queries written in SQL, and returns results. When MySQL Server starts, it listens on port 3306 for clients—your application code, command-line tools, analytics platforms—to connect.

A client connects, proves its identity with credentials, then sends SQL queries and receives results over a persistent TCP connection. The connection stays open, allowing rapid back-and-forth without the overhead of reconnecting for each query.

Every query your application makes—"does this user exist?", "what's in their cart?", "record this purchase"—travels through port 3306.

Local Connections vs. Remote Connections

Two configurations dominate how applications talk to MySQL.

Local connections happen when your application and database run on the same machine. Your laptop running a development server connects to MySQL through localhost on port 3306. The data never touches a network cable. It stays inside the machine, protected by the operating system. Nobody can intercept it because it never leaves.

Remote connections happen when the database lives on a different server. In production, this is typical: web servers in one place, database server in another. Now the connection travels over a network—a private network in your data center, a cloud VPC, or the public Internet.

The security implications are completely different. Local connections are inherently protected. Remote connections require deliberate protection.

Why Exposing Port 3306 Is Dangerous

Attackers don't scan for port 3306 because they're curious about your schema. They scan because databases contain the things worth stealing: credentials, payment information, personal data, business secrets. An exposed MySQL port is an invitation to take everything.

Automated tools sweep the entire Internet looking for open port 3306 instances. When they find one, they try common usernames—root, admin, mysql—with thousands of password combinations. They probe for unpatched vulnerabilities. They look for default credentials that were never changed.

Even strong passwords don't eliminate the risk. A zero-day vulnerability in MySQL could give attackers access before you can patch. Unencrypted connections let anyone on the network path read your queries and their results. The attack surface is simply too large.

The rule is absolute: MySQL should never be directly reachable from the public Internet.

How to Protect Port 3306

Network firewalls are the first barrier. Configure your firewall to allow connections on port 3306 only from specific IP addresses—your web servers, your admin machines, nothing else. Cloud platforms make this easy. An AWS security group can restrict your RDS instance to accept connections only from EC2 instances in a specific security group. Everyone else gets nothing.

MySQL's own access controls add a second layer. When you create a database user, you specify which hosts that user can connect from. A user defined as webapp@192.168.1.100 can only authenticate from that exact IP address. Even if an attacker steals the password, they can't use it from anywhere else.

These layers work together. An attacker would need to compromise an authorized server AND obtain valid credentials for that specific host. One without the other is useless.

Encrypting Database Traffic

Firewalls stop unauthorized connections. But what about authorized ones? When your web server queries your database across a network, that traffic contains credentials, SQL queries, and result sets. Without encryption, anyone who can observe the network can read it all.

MySQL supports TLS encryption for connections. When enabled, the client and server establish an encrypted channel during the handshake. Everything after that—authentication, queries, results—travels through that encrypted tunnel.

You can require TLS at the server level (all connections must encrypt) or at the user level (specific users must encrypt). Modern practice is to require it everywhere. With connection pooling and modern hardware, the performance cost is minimal¹. The protection is substantial.

Managed database services like Amazon RDS enable TLS by default and provide certificates automatically. There's no reason not to use it.

Connection Strings Done Right

Applications connect to MySQL with connection strings:

mysql://username:password@hostname:3306/database_name

Never put credentials directly in code. Never commit them to version control. Store them in environment variables, in a secrets manager like HashiCorp Vault or AWS Secrets Manager, or in configuration files with restricted permissions. Credentials in a git repository are credentials on the Internet.

Explicitly including the port (even though 3306 is the default) makes configuration clearer and allows running MySQL on alternate ports if needed. But changing ports is not a security measure—it's obscurity. Attackers scan all ports, not just 3306.

The Complete Picture

Securing MySQL is layered. Each layer addresses different threats:

• Network isolation stops unauthorized connections before they start
• Host-based access control restricts which machines can authenticate as which users
• Strong credentials make brute-force attacks impractical
• TLS encryption protects data in transit from interception
• Secrets management keeps credentials out of code and logs

No single layer is sufficient. Together, they make your database defensible.

Port 3306 is just a number—the default door to MySQL. What matters is whether you've left that door open to the world. Your database contains everything your application knows. Every user. Every transaction. Every secret. Protect it accordingly.

Sources