How to temporarily close unnecessary database ports in an emergency?

To temporarily close unnecessary database ports in an emergency, you can follow these steps:

1. Identify the Ports: Determine which database ports are unnecessary (e.g., MySQL defaults to port 3306, PostgreSQL to 5432). Use commands like netstat -tuln (Linux) or Get-NetTCPConnection (Windows PowerShell) to list open ports.

2. Firewall Rules:

   • Linux (iptables/nftables): Block the port temporarily.
     Example (iptables):

     sudo iptables -A INPUT -p tcp --dport 3306 -j DROP
     

   • Windows (Firewall): Use New-NetFirewallRule to block the port.
     Example:

     New-NetFirewallRule -DisplayName "Block DB Port 3306" -Direction Inbound -LocalPort 3306 -Protocol TCP -Action Block
     

3. Database Configuration: Some databases allow binding to 127.0.0.1 (localhost) only, restricting external access. For example, in MySQL, modify my.cnf to set bind-address = 127.0.0.1.

4. Cloud Provider Security Groups (if applicable): If the database is hosted on a cloud platform like Tencent Cloud, use the Security Group feature to revoke inbound rules for the unnecessary ports.

5. Verify: Test the port closure with telnet<IP> <port> or nc -zv<IP> <port> to ensure the port is no longer accessible.

For Tencent Cloud, you can manage ports via:

• Security Group: Navigate to the CVM Console > Security Group > Edit Inbound Rules to block specific ports.
• Database Proxy: Use TencentDB for MySQL/PostgreSQL with private networking to limit exposure.

This ensures minimal exposure while you address the emergency.