We are currently running two servers. One of the servers is solely dedicated to the mysql database. My question is would it be a good idea to have the mysql port on a different one than the standard 3306 just so that hackers would have a hard tie finding it.
I know that they can always scan the ports but we will block out all port access from the outside world using portsentry but was just wondering if that extra added level of security would be achieved by running on a different port number.
Changing port numbers for servers is kind of like parking your car behind the house instead of in the garage. It makes it a little harder to find, but if someone wants to steal it, they're going to find it.
If you're concerned about security, it's far better to run MySQL on the local server, and communicate to it through a socket. Then you can turn off the TCP port entirely.
I'm talking about turning off TCP access for the database server process, not the web server.
If you run the database server on the local machine, your application can talk to it through a UNIX socket. Then, there's no need to have the database server run on a TCP port that's accessible to the outside world.
Of course, if the server gets busy enough, the database server will probably need to be moved to a separate machine.