Some guidelines for MySQL security

  • Don’t share root user password and mysql.user table acess with anyone till you have full trust on it. Because that encrypted password is real password in MySQL so if anyone knows that than he/she can easily login with any user if he has access to his host.
  • Check with “mysql -uroot ” command, If you can easily login without asking password than you are in trouble. Anyone can login with root user in that server. In this case, you can use “mysql_secure_installation” utility. By running it, you can set root password, remove anonymous users and also restrict users which are connecting from outside of the server.
  • There should not be any user without password. Even try to avoid “%” in hosts. Frequently change root password.
  • Check users permissions with “SHOW GRANTS” command and remove unnecessary permissions by “REVOKE” command if needed. Even don’t give permissions to users for multiple hosts/dbs until needed.
  • Don’t use any words from dictionary in password. It can be break easily by some hack program.
  • If data is that much sensitive than use SSL connections between MySQL client and server.
  • As MySQL is using 3306 by default, it should be blocked from outside of network. It should not be accessible by un-trusted users/hosts.
  • Don’t run the mysqld daemon as the linux root user. It should be always run by MySQL user itself. If you run mysqld with another linux user than root, you dont need to change the root user name in mysql.user table because there is no any connection between MySQL users and Linux users.
  • Don’t give the process privileges to all users. Because “show processlist” command can show all the running queries on the servers. It might be possible that someone is chagning the password and another can see it by “show processlist”  i.e update user set password = old_password(“abc”)
  • If you don’t trust your DNS, you should use IP numbers instead of hostnames in the mysql.user table. In any case, you should be very careful about creating grant table entries using hostname values that contain wild cards! If you want to restrict the number of connections for a single user, you can do this by setting the max_user_connections variable in mysqld.

5 thoughts on “Some guidelines for MySQL security

  1. On the network config I would say do not use network at all when it’s possible.

    And if you still want MySQL to listen on the network port use bind-address to restrict connections from untrusted interfaces.

Leave a Reply