Hardening (securing) MySQL on a Linux server

MySQL is most widely used opensource relational database management system (RDBMS), based on the Structured Query Language (SQL).
MySQL is a component of the widely used opensource LAMP web application stack. LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python."

1. MySQL server install's with following management tool:


To secure your mysql installation, simple run the script /usr/bin/mysql_secure_installation

which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers.

By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them.
This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.

By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.

All done! If you've completed all of the above steps, your MySQL installation should now be secure.

2. To set mysql root user password manually:

Setting the root password ensures that nobody can log into the MySQL root user without the proper authorization.

To do so, start the server, then issue the following commands:

3. Rename root user of MySQL:

Alternatively you can rename the default root user, which will make it even more harder for anyone performing brute force attacks on root password:

You can also change the password for newuser using the “mysqladmin” command:
# mysqladmin -u username -p password newpass

4. Disable remote access to MySQL:

Edit the main configuration file "/etc/my.cnf" and insert line "skip-networking" under "[mysqld]" section.

If you need to access this database from another machine, login through SSH to this machine, then to MySQL.

Also, ensure that "/var/lib/mysql" data directory and "/var/log/mysqld.log" log file is owned by user, group mysql.

5. Clear mysql_history file:

mysql_history contains all commands executed in mysql_shell. For example: The content of the history may contain all newly created database names and their corresponding password.

6. Change MySQL default port no 3306:

To check default port mysqld is listening on:

Check if port 3456 is free and add line "port=3456" in /etc/my.cnf under [mysqld] section:

To activate changes restart mysqld service.

You may also like...

%d bloggers like this: