{"id":775,"date":"2012-09-10T00:24:23","date_gmt":"2012-09-10T06:24:23","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=775"},"modified":"2019-10-30T05:43:04","modified_gmt":"2019-10-30T11:43:04","slug":"how-to-secure-mysql-in-linux-system","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/how-to-secure-mysql-in-linux-system\/","title":{"rendered":"How to Secure Mysql in Linux system ?"},"content":{"rendered":"
an secure Mysql service using the following methods.<\/div>\n
1. Restrict anonymous remote access :- Which meansnever provide grant access from all hosts. It must limit to specific users from specific hosts only. Do not grant the SUPER privilege and FILE privilege to non-administrative users. Any user who has this privilege can write a file anywhere in the file system with the privileges of the mysqld daemon.<\/div>\n
2. Improve local security :- To improve local security use different socket file for both client and server connections. For that edit and add following line in the [client] section of \/etc\/my.cnf:<\/div>\n
[client]<\/div>\n
socket = \/tmp\/mysql.sock<\/div>\n
Also the following parameter should be added in the [mysqld] section in \/etc\/my.cnf:<\/div>\n
set-variable=local-infile=0<\/div>\n
3. Change admin password :- This is the most important step in securing MySQL is changing the database administrator’s(root) password, which is empty by default. Below are the steps to change administrator password.<\/div>\n
mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘new_password’);<\/div>\n
4. Change admin name :- It is strongly recommending to change the default name of administrator’s account (root), to a different for the more security. Such a change will help to prevent from the brute-force and dictionary attacks on the administrator’s password.<\/div>\n
mysql> update user set user=”mysqluser” where user=”root”; mysql> flush privileges;<\/div>\n
5. Remove history :- We also recommended to remove the content of the MySQL history file (~\/.mysql_history, ~\/.history, ~\/.bash_history,~\/.mysql_history) in which having all executed SQL commands (especially passwords are stored in this as plain text).<\/div>\n
6. User Access Privileges :- Create accounts for specific databases which will be used by specific applications, so accounts should have access rights only to the databases which are used by the specific applications. In particular,they no longer will have any access rights to the mysql database, nor any system or administrative privileges (FILE, GRANT, ALTER, SHOW DATABASE, RELOAD, SHUTDOWN, PROCESS, SUPER etc.). Any Application user should not granted all privileges to database with Grant option from any host.<\/div>\n
7. Disable remote access :- Only few applications on the same server will be allowed to access the database. So we need MySQL not to even listen on port 3306 for TCP connections like it does by default.<\/div>\n
Edit \/etc\/my.cnf and uncomment the skip-networking line (comment the leading #).<\/div>\n
8. Remove default users\/db :- Remove the sample database (test) and all accounts except the local root account:<\/div>\n
mysql> drop database test;<\/div>\n
mysql> use mysql;<\/div>\n
mysql> delete from db;<\/div>\n
mysql> delete from user where not (host=”localhost” and user=”root”);<\/div>\n
mysql> flush privileges;<\/div>\n
This is why because it will prevent the database from establishing anonymous connections and irrespective of the skip-networking parameter in \/etc\/my.cnf remote connections as well.<\/div>\n

We can secure Mysql service using the following methods.<\/p>\n

1. Restrict anonymous remote access :-<\/strong> Which meansnever provide grant access from all hosts. It must limit to specific users from specific hosts only. Do not grant the SUPER privilege and FILE privilege to non-administrative users. Any user who has this privilege can write a file anywhere in the file system with the privileges of the mysqld daemon.<\/p>\n

2. Improve local security :-<\/strong> To improve local security use different socket file for both client and server connections. For that edit and add following line in the [client] section of \/etc\/my.cnf:<\/p>\n

[client]<\/p>\n

socket = \/tmp\/mysql.sock<\/p><\/blockquote>\n

Also the following parameter should be added in the [mysqld] section in \/etc\/my.cnf:<\/p>\n

set-variable=local-infile=0<\/p><\/blockquote>\n

<\/p>\n

3. Change admin password :- <\/strong>This is the most important step in securing MySQL is changing the database administrator’s(root) password, which is empty by default. Below are the steps to change administrator password.<\/p>\n

mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘new_password’);<\/p><\/blockquote>\n

4. Change admin name :-<\/strong> It is strongly recommending to change the default name of administrator’s account (root), to a different for the more security. Such a change will help to prevent from the brute-force and dictionary attacks on the administrator’s password.<\/p>\n

mysql> update user set user=”mysqluser” where user=”root”; mysql> flush privileges;<\/p>\n

5. Remove history :-<\/strong> We also recommended to remove the content of the MySQL history file (~\/.mysql_history, ~\/.history, ~\/.bash_history,~\/.mysql_history) in which having all executed SQL commands (especially passwords are stored in this as plain text).<\/p>\n

6. User Access Privileges :-<\/strong> Create accounts for specific databases which will be used by specific applications, so accounts should have access rights only to the databases which are used by the specific applications. In particular,they no longer will have any access rights to the mysql database, nor any system or administrative privileges (FILE, GRANT, ALTER, SHOW DATABASE, RELOAD, SHUTDOWN, PROCESS, SUPER etc.). Any Application user should not granted all privileges to database with Grant option from any host.<\/p>\n

7. Disable remote access :-<\/strong> Only few applications on the same server will be allowed to access the database. So we need MySQL not to even listen on port 3306 for TCP connections like it does by default.<\/p>\n

Edit \/etc\/my.cnf and uncomment the skip-networking line (comment the leading #).<\/p>\n

8. Remove default users\/db :-<\/strong> Remove the sample database (test) and all accounts except the local root account:<\/p>\n

mysql> drop database test;<\/p>\n

mysql> use mysql;<\/p>\n

mysql> delete from db;<\/p>\n

mysql> delete from user where not (host=”localhost” and user=”root”);<\/p>\n

mysql> flush privileges;<\/p><\/blockquote>\n

This is why because it will prevent the database from establishing anonymous connections and irrespective of the skip-networking parameter in \/etc\/my.cnf remote connections as well.<\/p>\n

If you require help, contact SupportPRO Server Admin<\/a><\/p>\n

\"Server<\/a><\/span>