October 24, 2016

Hardening MySQL with mysql_secure_installation

A default Linux MySQL installation isn’t necessarily secure but a hardening script called mysql_secure_installation comes with the MySQL server to increase the default security. To run it, open a terminal window and as root (either using sudo or su -) type: mysql_secure_installation and press Enter.

The script will guide you through several steps to lockdown the MySQL installation.

The first step is to set the root password. By default a root password isn’t set, so to set it, hit Enter when asked for the current password (meaning blank) and then set the password as directed. Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation.

By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account. The anonymous user is there just for testing. Type ‘y’ and hit Enter when asked to remove the anonymous user account.

To ensure that the root user can not login over the network (and allow root connections only from the local machine). Type ‘y’ and hit Enter when asked to disallow remote roots.

By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. To remove it type ‘y’ and hit Enter when asked.

And that is it, if you answered positively to all the steps above your MySQL installation should now be secure.

Running mysql_secure_installation is recommended for all MySQL servers in production use.