Allow Remote Access to MariaDB Database

Hello,

I can't seem to find anything related to enabling MariaDB remote access in the CWP user logon under the database section. Is the option hidden away some where else?

For a given MariaDB database in a particular account how do you enable remote access so that you can connect to it from the local ip network not the internet IP. I wish to use some remote management tools on a specific database.

Thanks.

Hello,

Today I managed to successfully connect to a specific MariaDB database on CWP and get the remote app working.

Thanks

For the record, that is generally regarded as a poor security practice. Usually, you only want to allow localhost connections to your MariaDB database as remote access greatly increases your attack surface (and desirability as a target). Of course, you could securely tunnel in and connect that way, but better to keep it locally to a unix socket and forget remote TCP/IP connections to MariaDB.

Hello overseer,

I have to disagree that allowing remote database access is poor security practice. Maybe if you are just using CWP for hosting websites or possibly for the in experienced that might be true.

It is common practice to remote connect to MariaDB with advanced admin tools to manage the database. Myphpadmin is only a very basic tool.

Many distributed apps use GUI form builders which connect to the database . Not all applications are web based and some don’t run on CWP or even on the same box but remotely.

Again if you need database replication and or clustering you also need remote access. Just because Mariadb runs on  CWP does not mean you cant' use these advanced technologies etc.  CWP is very useful for running  multi-tenant applications with backup replication.

I'm a cyber security expert and experienced database and software developer.  I have properly configured the firewall rules and mariadb user logon restrictions to only accept connections from specific local IP addresses and port numbers. And I have verified such settings by testing using various security apps. And I don't rely on CWPs firewall but have multiple firewalls from different vendors.

However I'm more concerned with CWP not rolling out regular security patches and instead focuses on changing the UI as job priority number one. That concerns me more.

Thanks.

In one sentence you say database access Should Be Public, but then you say you restrict access.

All control panels limit database access to only localhost be default, not just CWP. That is basic cyber security 101.

CWP has nothing to do with MariaDB. 2 different developers.

If you have the MariaDB.repo setup, then any updates & security patches will be applied.

Hello Starburst,

You need to read my post again.

In this thread only you have used the word "Public" not me. I have not suggested that mariadb should be made public by default.  That is disingenuous for you to suggest that ! It undermines all the good work you have been doing helping others.

Yes I agree control panels do limit database access to localhost by default. However I have explained legitimate reasons for allowing restricted remote access to mariadb. If you don’t use advanced database tools or gui form builders or use database replication for backups etc that’s fine too. None of which can be achieved without restricted remote access to mariadb on CWP.

Yes I agree CWP and Mariadb are developed by too different entities. However they are packaged together in the same platform (CWP) so you have to consider them both when doing cyber security risk analysis.

CWP has not been rolling out security patches and fixes or rolling out new versions of those core application therefore putting CWP security at risk. Some of those apps are EOL and are not being patched by updates anymore. I am more concerned about this problem than allowing restricted remote access to mariadb.

However you and others have been helping user upgrade those apps on CWP and I thank you for providing that help.

CWP should be doing that work in their regular updates. So discussing both CWP and mariadb's security is perfectly reasonable and acceptable.

Thanks.

I think we're all saying the same thing, just coming from different angles. I wasn't correcting you or your practices (specific use case). I was just wanting to put out a "for the record" notice for the sake of other new users and those wanting to reference the forum. In a normal use case, with CWP and other web hosting environments MariaDB is limited to local socket connections for security purposes. You can open it up from there with full knowledge & intent, keeping security in the forefront of your mind.

Hello overseer,

I completely agree with your summary in your last post — you said it perfectly.

Thanks.

@Andrew C

CWP's last release was on 2026-03-18 for patches & bug fixes.
Before that it was on 2026-02-18 & 2026-02-02.

They release patches about as often as other control panels.

But what's nice with CWP, the apps update their own versions, this helps keep CWP secure, as CWP only has to worry about 4 ports for the CWP interface.
Only one that really has to be done manually is Roundcube.

And with MariaDB, I was looking at your line "It is common practice to remote connect to MariaDB with advanced admin tools to manage the database."

From what I have seen, it is not common to remote connect to MariaDB.
Most users use scripts that are located on the same server.

Opening port 3306, is opening a security hole on the server, as it it is opening any port.

See, I see you use, 'common practice' and the 'advanced admin tools' in the same sentence.
Those 2 don't really go together, as only a small rare portion would ever use 'advanced admin tools'.

It's not even common for users to ever use phpMyAdmin.
Usually at that point they would open a support ticket.

Hello Starburst,

Same old story - CWP maybe rolling out silent updates but the change logs are not being published at regular intervals to document any changes made. If you are spending the time analysing the changes made by CWP to your servers by updates then please share and publish the details in the forum. Go on, create a forum thread and publish each time CWP rolls out a new update and document the details, I would be very happy to see that information in real time from you or CWP I don't mind.

I have come from the commercial world were lots of devops and system admins and database administrator and software developers all sit together in a very big building and support remote web hosts and remote databases and remote servers in various different ways. You or your customers may not remote access your servers in that way but the commercial world does it everyday so it is common place. And to suggest otherwise is disingenuous.

I think CWP is great and it does everything I need at the moment. I just wish it had proper documentation and it was updated or patched every month. No one wants to pay a few dollars for CWP and then spend twenty hours a month keeping it updated and running and checking what has changes. You see my point.

I think you an overseer live in your own bubble and you don't consider others wanting to do more advanced things with CWP. If you choose not to remote admin into your CWP servers thats fine with me. You can tell that to your customers if you choose but don't suggest your way is the only or right way for everyone which is just not true.

Thanks.

GO use ANY other control panel, including freeware and COMMERCIAL WILL have MariaDB/MySQL on port 3306 locked down to localhost only.

We are back to basic cyber security 101.
And back to you stating it's "common place", which it is not.
If it was all the control panels would have it open, which again they do not due to security.

Yes, more advanced users who want to run clusters or load balancing would.
And would be running proxies directing traffic to workers, who in turn would connect to the database server via a private network in the background.

You also really would not be running a control panel at that point, and just a raw OS.

If you aren't running dnf update to keep your servers updated and secure, that is one job of a sys admin and/or a cyber security person.
That is not a waste of time.
Or you can even automate it, which could be a system script that could be run locally or via ansible.

You can't argue your way is correct and "common place", when all the control panels defaults say and do the opposite...

There is no right or wrong way.
Just the default and custom application of what you are doing with the server(s).

I think you an overseer live in your own bubble...

"I'm forever blowing bubbles, blowing bubbles in the air..."

Hello starburst,

Are you providing a CWP change log on the forum, that would be a huge benefit to the community ?

If you read my earlier post I did say allow access to specific IP addresses on the local network and not the internet.

If users wish to use CWP with its default security they can. However if users want to allow remote access to their CWP servers then they can also do that if they choose. You have no right to say which solution is right or wrong as you don't know the details of how its been implemented.

Thanks.

I was just correcting your multiple assertions in your posts, that it was "common place" to open up the MariaDB port to outside attacks...

That was a false statement, as it is NOT "common place". If it was, it would be the default setting.

And ONLY stated that the DEFAULT security setting on CWP, CyberPanel, HestiaCP, cPanel, and ALL other panels on installation, is that it is set to localhost only automatically.

Hello Starburst,

Yes it is common place to remote access servers and web hosts by professionals who know what they are doing. And no matter how many times you try to dismiss that fact I will correct you.

You need to turnoff the gas light and stop gas lighting people !

Thanks.