> Oh and one last thing: All these attacks happen permanently on corporate internal networks too.

Yes, we suspect these networks to be kind of safe zones. They are not.

> Instead of encryption and passwords (which is snakeoil in this scenario) just install ufw and be happy.

Since the port closing in UFW is regarding ALL Database connections, so how, without a username, will you discriminate mysql://evil@hacker:yourip:yourport#hackathondb from mysql://admin@totallylegitcredentials:yourip:yourport#workdb

You wont, because you cant. In your scenario, IFW just let all traffic pass, the database is not authing, traffic from any local network is allowed and still you loose the database. Password: Not snakeoil in this case. A yeah, you seem not to be in favor of deleting work data for the hackathon.

> Another thing on SSL: There is no encryption without authentication. How would you make sure, you are connecting to the right service with a correct certificate on a local network? You would have to make your own CA and stuff.

Good you mention it, I would work with named hosts, and start right here. If you bring a loaded gun to a childyard, I expect you to know the safety switches. But until then: Just use the S variant of the protocol. It is there. And it is important.