root@localhost allows a root user to connect to mysql locally from the DB server using the mysql socket file.
root@127.0.0.1 allows a root user to connect to mysql locally from the DB server using the TCP/IP protocol. (Trust me, you will be needing this one. MySQL has a nasty bug in it. The bug sometimes causes the mysql socket file to disappear rendering root@localhost useless. You will need to connect using root@127.0.0.1 if this ever happens to you)
root@server.domain.lan allows a root user to connect to mysql from server.domain.lan using DNS (Dynamic Naming Services)
You could create root@'%' but I highly recommend you do not.
I would also recommend using a different password for each root user.
Enable SSL (Do this in addition to options below)
Besides the options listed below you should also enable SSL on your MySQL database. Otherwise usernames/passwords will be sent over the internet in plaintext. Based on your use case if a developer is sitting at a Starbucks and connects to your database (without SSL) then anybody could eavesdrop and steal the credentials to login.
You can read more about setting up SSL on MySQL here: http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html
Option 1 - Bastion Host
One approach to allow you to lock down access to your database is to setup a bastion host. The bastion host could be setup to allow connections from any IP address and your database would be setup to only allow connections from the bastion host. Basically it's like a proxy server.
The standard setup for it is to use a *nix machine with each developer having SSH access with key based authentication but no command execution privileges. Each developer could then SSH to the bastion and forward a port to the DB server but not execute anything else.
Securing the bastion becomes much easier than securing the DB server itself as authentication is done via SSH keys (vs passwords) and thus cannot be brute forced. Also, it doesn't matter that your MySQL server is running on Windows, only the bastion host needs to be *nix.
Option 2 - fail2ban (equivalent)
If you were running on a *nix OS I'd recommend running fail2ban. It's a daemon that scans your log files for unusually activity and sets up IP block rules based on it. For example you can configure it to blacklist IP addresses that are repeatedly trying to login to a website by having it scan the access logs.
You mention that your server is running Windows so fail2ban itself won't run on it (it's *nix only) but it looks like some other folks have tried similar things. I haven't tried either of these approaches so can't vouch for them but you could try them out:
- https://serverfault.com/questions/27757/does-fail2ban-do-windows
- https://serverfault.com/questions/43360/cygwin-sshd-autoblock-failed-logins
In both cases I think you'd have to tweak it to work with MySQL (it's setup to protect sshd).
Option 3 - JackDB
Full Disclosure: I'm the founder of JackDB
If your remote developers are connecting to your database to query/analyze/debug it via a database client then then you could have them use JackDB. It's a database client that runs entirely in your web browser.
Once it's setup, you could set up your firewall to only allow remote access from JackDB's IP address (it's a single static IP address) and your developer's could then use it to access an query your database. Your DB server would then be firewalled from the rest of the internet.
Note that this will only be a viable solution if your remote developers will only be executing SQL commands against the database and not remotely developing against it. JackDB allows you to run any SQL (SELECT, INSERT, UPDATE, DELETE, etc) but it does not allow for programmatic access for custom programs (it's a database client, not a driver interface).
You can read more about it and try it out here: http://www.jackdb.com/
Best Answer
Yes, the server would still be accepting remote connections. And yes, it probably did what it was supposed to do.
mysql_secure_installation
doesn't setbind-address=127.0.0.1
neither in MariaDB nor in MySQL. It does however allow you to remove root accounts that are accessible from outside of localhost, as you have already done.If you don't have any database users with host != localhost, then remote login shouldn't be possible. You can of course also block the MariaDB server port in your firewall.