Restricting where MySQL or MariaDB listens reduces accidental exposure of the database service while still allowing controlled access from a private network, VPN, or SSH-tunneled workflow.

The mysqld server binds a TCP socket (commonly port 3306) based on values loaded from its configuration files. The bind-address directive under the [mysqld] section determines whether the daemon accepts TCP connections only from localhost, only from a specific host IP, or (when explicitly configured) from broader network scopes.

The bind-address value must be an IP address assigned to the host (IPv4 or IPv6), not an interface name like eth0. Moving beyond localhost affects exposure and routing, but does not grant access by itself; firewall policy and database account host permissions must also allow the connection, and the service must be restarted to apply the listener change.

Setting bind-address to 0.0.0.0 exposes the database on all IPv4 interfaces. Use this only when host firewall rules and database account restrictions are already in place, or the service may become internet-facing.

Related: How to locate and modify MySQL and MariaDB configuration files
Related: How to enable remote access to MySQL or MariaDB server
Related: How to change MySQL or MariaDB port
Related: How to manage MySQL or MariaDB service in Linux

Steps to change the listen address for MySQL or MariaDB:

  1. Identify the IP address for the interface that should accept connections. 
    $ ip --brief address show scope global
ens3             UP             10.10.10.10/24
  2. Confirm the current listening address for TCP port 3306. 
    $ sudo ss --listening --numeric --tcp --processes | grep --fixed-strings ':3306'
LISTEN 0      151        127.0.0.1:3306      0.0.0.0:*    users:(("mysqld",pid=1234,fd=21))

    No output usually means the service is stopped, TCP listening is disabled via skip-networking, or the port is different.

  3. Locate the active configuration line that sets bind-address. 
    $ sudo grep --recursive --line-number --extended-regexp '^[[:space:]]*bind-address' /etc/mysql
/etc/mysql/mysql.conf.d/mysqld.cnf:44:bind-address = 127.0.0.1

    MariaDB commonly uses /etc/mysql/mariadb.conf.d/50-server.cnf for server settings on Debian/Ubuntu-style systems.

  4. Open the server configuration file that contains the active bind-address setting. 
    $ sudoedit /etc/mysql/mysql.conf.d/mysqld.cnf
  5. Set bind-address under the [mysqld] section to the desired IP address. 
    [mysqld]
bind-address = 10.10.10.10

    Use 127.0.0.1 to accept local-only connections, or set a specific private IP for controlled remote access.

  6. Confirm the new bind-address setting is the only active definition in the loaded config files. 
    $ sudo grep --recursive --line-number --extended-regexp '^[[:space:]]*bind-address' /etc/mysql
/etc/mysql/mysql.conf.d/mysqld.cnf:44:bind-address = 10.10.10.10

    If multiple lines appear, the last-loaded file can override earlier values; comment out duplicates to keep the effective listener unambiguous.

  7. Restart the database service to apply the new listener. 
    $ sudo systemctl restart mysql

    On MariaDB systems, the unit name is typically mariadb: 

    $ sudo systemctl restart mariadb
  8. Confirm mysqld is listening on the expected address. 
    $ sudo ss --listening --numeric --tcp --processes | grep --fixed-strings ':3306'
LISTEN 0      151       10.10.10.10:3306     0.0.0.0:*    users:(("mysqld",pid=1234,fd=21))
  9. Test a real connection to the new listener from an allowed client. 
    $ mysql --host=10.10.10.10 --port=3306 --user=appuser --password --protocol=TCP --execute 'SELECT 1;'
Enter password:
+---+
| 1 |
+---+
| 1 |
+---+

    If the TCP connection opens but authentication fails, review user host permissions (for example, 'appuser'@'10.10.10.%').

Discuss the article:

Comment anonymously. Login not required.