Friday, November 15, 2024
Google search engine
HomeData Modelling & AImysql_secure_installation Script

mysql_secure_installation Script

Introduction

MySQL is an open-source relational database management system and part of the popular LAMP stack. The mysql_secure_installation script allows you to significantly improve MySQL server security.

In this guide, you will learn to secure a MySQL server.

Note: MariaDB is a popular fork of MySQL. The information provided in this article applies to MariaDB as well.

Securing a MySQL server using the mysql_secure_installation script.Securing a MySQL server using the mysql_secure_installation script.

Prerequisites

Note: Deploy a MySQL database instance on one of our pre-configured Bare Metal Cloud instances for superior performance, starting at only $0.10/h.

mysql_secure_installation Command

After installation, the MySQL server instance on your machine is insecure and susceptible to attacks. mysql_secure_installation is a shell script developed for securing the MySQL server installation on Unix systems. The script configures security settings and allows you to:

The [option] arguments are optional and discussed in the following section.

Note: Can’t decide which database solution to use? Read our comparison article on MongoDB vs. MySQL and PostgreSQL vs. MySQL to help you make up your mind.

1. Execute the mysql_secure_installation script using the following syntax:

sudo mysql_secure_installation [option]

2. Type your password and press Y to set up the VALIDATE PASSWORD component which checks whether the new password is strong enough.

3. Next, enter 01, or 2 depending on the password strength you want to set :

  • 0 – Low. The password consists of at least 8 characters.
  • 1 – Medium. The password consists of at least 8 characters (including numeric, mixed case, and special characters).
  • 2 – Strong. The password consists of at least 8 characters (including numeric, mixed case, and special characters, and compares the password to a dictionary file).

4. Once you specify the required strength, enter and re-enter the password.

Secure MySQL on Ubuntu.Secure MySQL on Ubuntu.

5. The program evaluates the strength of your password and requires confirmation with Y to continue.

MySQL estimating the password strength. MySQL estimating the password strength.

6. Next you need to answer the following security features:

  • Remove anonymous users?
  • Disallow root login remotely?
  • Remove test database and access to it?
  • Reload privilege tables now?

To run the script with the default setting, the recommended answer to all these questions is Y.

mysql_secure_installation Options

The mysql_secure_installation script accepts certain options that customize MySQL security configurations. Specify the options in the command line or in the [client] group of the option file.

Note: MySQL can read startup options from option files (also called configuration files). To check whether the program reads option files, use the mysql --help command. If the program reads option files, the output indicates the name of the files and which option groups it recognizes. Open the file and add the wanted options to the [client] group. It will be read by all MySQL clients, and the options specified will apply to all clients.

The most commonly used mysql_secure_installation options are --host and --port.

For example, you can configure MySQL to permit IPv6 connections by clients that connect to the local server using port 3307. To do so, you need to add the ::1 local host address and change the default port (3306) to 3307.

Therefore, when running the installation script, you would use the command:

mysql_secure_installation --host=::1 --port=3307

Other supported options include:

--basedir=dir Specify the base directory.
--print-defaults Print the program argument list and exit.
--no-defaults Prevents the script from reading the default options from any option file.
--defaults-file=# Instructs the script to read only the specified option file #.
--defaults-extra-file=# Reads the specified file # after reading the usual option files.
--defaults-group-suffix=str Reads the usual option groups, but also groups with the usual names and a str suffix.
--help Displays a help message and exits.
--host=host_name Connects to the MySQL server on the specified host.
--no-defaults Prevents script from reading option files (except .mylogin.cnf file).
--password The script accepts this option but always ignores it. Hence, the script prompts for a password whenever invoked.
--port=# Specify the TCP/IP port number to connect to.
--print-defaults Prints the program name and the default options.
--protocol={#} Specify a transport protocol to use for connecting to the server {TCP | SOCKET | PIPE | MEMORY}.
--socket=path Specify the Unix socket file or Windows named_pipe variable to connect to localhost.
--ssl=[1 | 0] Enables or disables connection encryption, respectively. The options beginning with --ssl can also indicate the path to SSL keys and certificates.
--ssl-ca=filename Specify the file containing the trusted SSL Certificate Authorities list.
--ssl-capath=dir Specify the directory path containing trusted SSL Certificate Authority certificate files.
--ssl-cert=filename The path to the file containing the client SSL public key certificate.
--ssl-cipher=list A list of permissible ciphers for connection encryption.
--ssl-crl=filename The path to the file containing certificate revocation lists.
--ssl-crlpath=dir The directory containing certificate revocation list files.
--ssl-key=filename The path to the file containing the client SSL private key certificate.
--ssl-mode=mode Specify one of the server connection security states, in order of increasing strictness: [DISABLED | PREFERRED | REQUIRED | VERIFY_CA | VERIFY_IDENTITY].
--ssl-verify-server-cert Instruct the client to verify host name identity against the server certificate containing the Common Name identity.
--tls-version=list Specify a comma-separated list of permissible TLS protocols for encrypted connections.
--use-default The script executes without interaction.
--user=username Specify the MySQL account user name for connecting to the server.

Conclusion

This guide showed how to improve MySQL server security in Linux. After securing MySQL, we recommend improving MySQL performance to ensure a smooth server operation.

Continue learning about MySQL in our article on important MySQL commands that includes a downloadable cheat sheet.

Was this article helpful?
YesNo

RELATED ARTICLES

Most Popular

Recent Comments