Securing MySQL Server
There is a great deal of literature about how to properly secure MySQL
depending on your intended use and circumstances. The MySQL Reference
Manual is an excellent place to start.
In these instructions, we assume that MySQL should only be accessible from
the local host (not by other clients over the network), and the absolute
minimum of ‘root’ level access.
1. Always start mysql for local access only. As root, edit
/etc/init.d/mysql, and find the line that actually runs mysqld_safe.
Add the “–skip-network” option. The result should look something
like:
$bindir/mysqld_safe –datadir=$datadir –pid-file=$pid_file
–skip-networking &
Stop and restart mysql:
/etc/init.d/mysql stop
/etc/init.d/mysql start
2. Limit root and non-essential access. Change the default (empty)
root password. Delete any non-localhost ‘root’ users, and any ‘blank’
users.
mysqladmin -u root password new_password
mysql -u root –password=new_password
mysql> use mysql;
mysql> delete from user where host = ‘%’;
mysql> delete from user where user = ”;
mysql> delete from db where user = ”;
mysql> select user, host from user;
If you see any ‘root’ users other than root@localhost, delete them
– e.g.
mysql> delete from user where user = ‘root’ and host=’myhost.com’
Flush the privileges.
mysql> flush privileges;
mysql> quit