Ports

Port 3306: MySQL

Default MySQL database port. Often used by apps and admin tools.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 3306 is the default port for MySQL. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. A MySQL server binds to 3306 and client applications connect from ephemeral source ports.

After the TCP handshake, the MySQL protocol handshake exchanges capabilities and authentication data, and then the client sends SQL queries while the server returns result sets. In real applications, connection pools keep sessions open for performance, so database exposure is often long lived and predictable, which helps defenders baseline normal behavior.

Security wise, 3306 should rarely be reachable from end user networks or the internet. If it is exposed, attackers can brute force accounts, exploit vulnerable server versions, or abuse overly privileged application credentials to exfiltrate data.

How it works in broad strokes

  1. Client opens a connection and negotiates the MySQL handshake, including capability flags.
  2. Client authenticates and then sends queries and receives results over the session.
  3. Applications often use connection pools, so one compromised app node can access the data layer continuously.

Concrete example

A web app connects to MySQL on 3306 from an app subnet. If a developer laptop can also reach 3306, credential theft on that laptop can lead directly to database access.

Why it matters

Database services are critical assets. Exposed MySQL ports invite brute force and exploit attempts. Even inside a network, broad access to 3306 increases the impact of a compromised host, so segmentation and least privilege matter.

Security angle

  • Restrict access to application subnets and require strong authentication and least privilege users.
  • Enable TLS for client connections where appropriate and patch the server regularly.
  • Monitor for unusual logins, long running queries, and data dump patterns.

Common pitfalls

  • Allowing remote root access or using shared admin accounts.
  • Exposing 3306 to the internet or to user VLANs.
  • Skipping TLS on database connections when traversing untrusted networks or shared infrastructure.