Bug #75340 Bind to localhost by default
Submitted: 30 Dec 2014 14:49 Modified: 6 Jan 2015 7:56
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Cluster Manager Severity:S3 (Non-critical)
Version:1.3.3 OS:Any
Assigned to: CPU Architecture:Any
Tags: Security

[30 Dec 2014 14:49] Daniël van Eeden 
Description:
By default mcmd listens op 1862 (protocol=mysql) and allows access with username=mcmd and password=super

Please bind to localhost by default to make this a bit more secure

How to repeat:
Setup mcmd and run 'netstat -nr' and try to connect as mcmd/super.

Suggested fix:
1. Add option 'manager-host' and/or 'manager-interface' options and limit this to localhost/localhost6 and/or the lo network interface

2. Limit access to the mcmd account to localhost or a limited network segment.
[6 Jan 2015 7:56] MySQL Verification Team 
Hello Daniël,

Thank you for the report/feature request.

Thanks,
Umesh
[6 Jan 2015 7:57] MySQL Verification Team 
Imho previously, --manager-port=#  option could optionally take a host name in addition to the port number [host:]port, but in MySQL Cluster Manager 1.1.1 and later the host name is no longer accepted.