I have a client that's using a third party software to administer his SQL database. It requires me to leave port 3306 open but I don't feel comfortable doing this. Are there any serious known issues with leaving it open?

Thanks,
Will

Well I sort of have mine open. I run a program off my PC to DJ music (SAM2) using the MySQL server on my box, along with MySQL Administrator which is rather nice to run everything. I set up APF to only allow incoming and outgoing traffic through that port to my IP here at home. It changes very rarely (ever 5-7 months...even though its considered dynamic :-D) so I don't have to change it often.

I would say that as long as he has a static IP (or alteast one that changes rarely), set his IP in your firewall's allow list for port 3306. Only his traffic will be allowed through, all the rest is cut off at the firewall.

Instead of opening port 3306, it's a lot safer to add ssl port forwarders on another port. Then the client just needs to add a matching ssl forwarder on their system, and they'll be able to administer remotely just like now, but all data will be encrypted and it will be a little bit harder to break into (a lot harder to break into if this client is doing dumb things like updating the mysql passwords via port 3306).

In addition you should always use iptables to limit the source IP addresses that can connect to a port like this. If you don't want the whole world to talk to the port, always use iptables to guarantee that it won't.

With SSL+iptables, you should be as safe as a remotely administered mySQL system can be.