Securing Mysql and MariaDB is important because of their widespread use as the world’s most popular and fastest open source free and open source database.
The default installation of Mysql has several major security flaws that should be fixed by you as a server administrator. This is not due to security holes in Mysql itself, but it is just a matter of configuring the server and basic settings.
Securing Mysql will actually affect the entire server security. The hacker will try to guess the database administrator password with attacks like Bruteforce. Well, you definitely know that having a root database password can completely destroy your server.
Secure Mysql by installing it securely MariaDB
The first step after installing mysql by default is to secure the administrator password. The script will come with mysql installation so you can upgrade your basic Mysql installation to a more secure one.
With the following script you can control the security of the database through 3 parameters.
- Insert password for root database user if no password is set during installation.
- Block Remote Access to Root Users
- Remove anonymous username and access anonymously and guests
After running the script you will be asked questions that you can control for each of the above by pressing the Y / n buttons.
You can only connect to Mysql through localhost access
Database is a server-side service that is not directly related to the user and is a so-called Backend server, so there is no reason to access it via Remote.
To make Mysql secure and restrict access, simply open the mysql config file with an editor.
vi /etc/my.cnf [RHEL / CentOS] vi /etc/mysql/my.conf [Debian / Ubuntu] vi /etc/mysql/mysql.conf.d/mysqld.cnf [Debian / Ubuntu]
Then add the following line in the [mysqld] section.
bind-address = 127.0.0.1
Disable LOCAL INFILE on Mysql
You must disable local_infile in Mysql to disable file system access. To do so, simply enter the following in the [mysqld] section.
local-infile = 0
Change the default port of Mysql
The default port for the Mysql service is TCP protocol number 2, which is better to prevent the port from being changed to a higher number than range 2.
Port = 5564
Enable Mysql Log Service
One of the most important files of any service is its log file or log. This file will record all the events that will occur on this service by the hacker.
When something happens to the server, you can detect any suspicious activity on the service with this file.
In the [mysqld] section, configure the following line to introduce the log file path file.
log = / var / log / mysql.log
Change access to important Mysql files
Another thing to do for Mysql security is to change access to important files in this service.
Entering the following command will only allow read-only access to non-owner users.
chmod 644 /etc/my.cnf
All commands entered for the Mysql service in the mysql_history file. Caching will include sensitive information such as the username and password of all users you have created on the server.
The following command will completely erase this file’s information.
cat / dev / null> ~ / .mysql_history
Do not execute Mysql commands through the terminal
Because all Linux commands are stored in history files, no critical information, including usernames, should be executed in the shell environment. With hacker access to the system and a review of the bash_history file. It will be easy to see the users password.
For example, if you enter the following command into the Linux terminal, the hacker will find the Root user password by viewing the history file as Clear Text.
mysql -u root -ppassword
Entering history will display the last command for you as follows.
The best way to connect to mysql is to request a password from Interactive by shell.
mysql -u root -p
Specific access for each user only to a separate system
Each user within Mysql must have access to a specific database only and the accesses for the respective user must be defined separately.
mysql -u root -p CREATE DATABASE wordpress_db; CREATE USER 'wp_admin' @ 'localhost' IDENTIFIED BY 'wp @ admin%! 2'; GRANT ALL PRIVILEGES ON wordpress_db. * TO 'wp_admin' @ 'localhost'; PRIVILEGES FLOW; exit
And always keep this in mind that a user who does not control a program in the database and is useless should be removed from the system.
Using plugins and security libraries
To enhance the security of Mysql and MariaDB you can use the many plugins and libraries provided by the developer at the same time on your database.
Below is a list of these plugins that provide more accurate controls on access, passwords, and more.
Periodically change your Mysql password
It is advisable to periodically change the Mysql password periodically with the following commands to prevent system password from being compromised for any reason due to security policies.
USE mysql; UPDATE user SET password = PASSWORD ('YourPasswordHere') WHERE User = 'root' AND Host = 'localhost'; PRIVILEGES FLOW;
Updating the Mysql package constantly
One of the best things any server administrator can do to secure services is to regularly update the software, with the patches and kernel updates coming up, you can update the Mysql / MariaDB Linux repository by entering the following commands depending on your distribution.
yum update apt update
After doing all of the above to ensure Mysql security, reboot your database service by entering one of the following commands to make changes to the service.
systemctl restart mariadb # RHEL / CentOS systemctl restart mysql # Debian / Ubuntu