PG
PRO
pgref.dev/mariadb/errors/2003
2003ERRORTier 1 — Safe✅ HIGH confidence

Can't connect to MySQL server on host

Category: ConnectionVersions: All MariaDB / MySQL versions

🔴 Production Risk Error

HIGH — complete connection failure from all remote clients.

What this means

Client error 2003 is returned when the client cannot establish a TCP connection to the MySQL/MariaDB server on the specified host and port. Unlike 2002 (socket), this error is for TCP connections — usually to a remote host or explicit port.

Why it happens

  1. 1MariaDB/MySQL server is not running on the remote host
  2. 2Server is bound to 127.0.0.1 only (bind-address) and a remote client is trying to connect
  3. 3Firewall (iptables, ufw, cloud security group) is blocking port 3306
  4. 4Wrong hostname or port specified in the connection string
  5. 5Server has not been configured to accept remote connections

How to reproduce

Connecting to a remote DB host that is not accepting connections.

trigger — this will ERROR
mysql -h db.example.com -P 3306 -u appuser -p
ERROR 2003 (HY000): Can't connect to MySQL server on 'db.example.com' (111)

Fix 1: Change bind-address to allow remote connections

When the server is bound to localhost only.

fix
-- In my.cnf / server.cnf under [mysqld]:
-- bind-address = 0.0.0.0
-- or comment out bind-address entirely.
-- Then restart MariaDB.

Why this works

By default MariaDB listens on 127.0.0.1 only. Setting bind-address = 0.0.0.0 (or the server's specific IP) allows external connections.

Fix 2: Open port 3306 in the firewall

When the server is running but the port is blocked.

fix
-- UFW:
sudo ufw allow from 203.0.113.0/24 to any port 3306

-- iptables:
sudo iptables -A INPUT -p tcp --dport 3306 -s 203.0.113.0/24 -j ACCEPT

Why this works

Restrict firewall access to known client IP ranges rather than opening port 3306 to the world.

What not to do

Open port 3306 to 0.0.0.0/0 in production

Why it's wrong: Exposes the database directly to the internet — a primary attack vector for credential brute-force and exploit attempts.

Dangerous variant

⚠️ Warning

Publicly exposed MySQL/MariaDB on port 3306 with weak credentials is one of the most common ransomware attack vectors.

Sources

📚 Official docs: https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/

🔧 Source ref: MySQL Client error 2003 / CR_CONN_HOST_ERROR

📖 Further reading: MariaDB Remote Client Access

📖 Further reading: MariaDB bind-address

Confidence assessment

✅ HIGH confidence

Stable.

See also

📄 Reference pages

bind-addressfirewallport 3306
⚙️ This error reference was generated with AI assistance and reviewed for accuracy. Examples are provided to illustrate common scenarios and may not cover every case. Always test fixes in a development environment before applying to production. Spotted an error? Suggest a correction →
All MariaDB errors