Sorry for you Centos MariaDB instance loss.

Your netstat shows that the Local Address is bound to 127.0.0.1:3306 which is effectively airgapped. Its installed that way because a number of database using aspects connect to this TCP connection by default and provides a better default than 0.0.0.0:3306.

mysql_secure_installation is not a mandatory part of the installation path. It helps users gain confidence in a few of the slightly more useable/less secure aspects, but doesn't affect the network installation.

Don't both Centos and Debian have default firewall rules blocking external inbound connections?

The default debian install includes no users that can connect on TCP only "localhost" aka a unix socket
https://salsa.debian.org/mariadb-team/mariadb-10.5/-/jobs/1765332

Are you after changing the Centos or Debian installation (or both)? How did you install this? What versions?

We're not going to change the install to not bind to tcp at all as that will affect an existing application expectation.

What exactly do you want changed?

To be honest, I'm not sure how this happened, but wanted to file a bug to make sure it doesn't happen to anyone else. I'm double-checking everything on this new install.

After the attack on my CentOS instance, I checked the netstat output and was shown tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1172/mysqld, which I assume was the default on that platform. Looking very carefully this time around, I found mysql_secure_installation, which I guess is as secure as I could ask for.

I think what I'm asking for is to be completely certain that no default configurations on any platform listen on 0.0.0.0.

When I noticed the breakin, I also noticed that firewalld had failed to start. It's possible that daemon was what was protecting us from the MariaDB defaults for the three or four years it took for an attack to come through, but then the firewall failed for some unrelated reason. I don't think it's a good idea to assume that the firewall will protect users from bad actors trying to log into their database.

What version os CentOS are you using? What version exactly of MariaDB were you running?

What does the following commands print on your system?

$ grep -rF bind /etc/mysql/

/etc/mysql/mariadb.conf.d/60-galera.cnf:#bind-address = 0.0.0.0

/etc/mysql/mariadb.conf.d/50-server.cnf:bind-address            = 127.0.0.1

$ mariadbd --print-defaults

mariadbd would have been started with the following arguments:

--socket=/run/mysqld/mysqld.sock --user=mysql --pid-file=/run/mysqld/mysqld.pid --basedir=/usr --datadir=/var/lib/mysql --tmpdir=/tmp --lc-messages-dir=/usr/share/mysql --lc-messages=en_US --skip-external-locking --bind-address=127.0.0.1 --expire_logs_days=10 --character-set-server=utf8mb4 --collation-server=utf8mb4_general_ci

$ ss -pant | grep 3306

LISTEN     0        80              127.0.0.1:3306               0.0.0.0:*

$ telnet 127.0.0.1 3306

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

p

5.5.5-10.5.12-MariaDB-1:10.5.12+maria~bionic;I=54B2o��-[Z43C7)eBZ{"mysql_native_password^CConnection closed by foreign host.

$ telnet 192.168.0.20 3306

Trying 192.168.0.20...

telnet: Unable to connect to remote host: Connection refused

Replace 192.168.0.20 with your public IP address.

Any modern installation of MariaDB is secure out-of-the-box and there is no need for extra firewalls or to run the stupid and outdated mysql_secure_installation script.

If you think you have found some security issue, please be specific in reporting it.