RSS feedThe MySQL binary installation package takes care of most of the things automatically but we still need to do some extra manual steps to make sure that our MySQL database is safe from outside attacks as it is going to be on a server directly connected to the internet.
Note: These instructions presume you first installed MySQL via the binary installation package and then compiled the source code to get proper shared libraries.
Copy the example configuration file from the MySQL source, ‘/usr/local/mysql/support-files/my-medium.cnf‘, to ‘/etc/my.cnf‘ and set the appropriate permissions:
Next, we must remove the sample database (test) and all accounts except the local root account because we don’t need them and they pose a security risk as everyone knows they are there to abuse. Please note that you should only do this if you install a new instance and not if you are upgrading or you will loose all your current users.
Start mysql from the Terminal and enter the following commands:
mysql> use mysql;
mysql> delete from db;
mysql> delete from user where User = '';
mysql> flush privileges;
This will prevent the database from establishing anonymous connections and removes the test database with the accompanying permissions.
To change the password for the ‘root’ account you can use the following commands from the MySQL terminal:
where User=’root’;
mysql> flush privileges;
Don’t forget to flush privileges; to make the privileges take effect.
It is also recommended to change the default name of administrator’s account (root), to a different, harder to guess one. Such a change will make it difficult to perform brute-force and dictionary attacks on the administrator’s password. In this case the intruder will have to guess not only the password, but first and foremost, the name of the administrator’s account.
mysql> flush privileges;
Another change applies to the 3306/tcp port, on which MySQL listens by default. Because, according to the initial assumptions, the database will be used only by locally installed PHP applications, we can freely disable listening on that port. This will limit possibilities of attacking the MySQL database by direct TCP/IP connections from other hosts (This can also be accomplished by blocking this port using the Firewall). Local communication will be still possible through the mysql.sock socket. In order to disable listening on the mentioned port, the following parameter should be added in the [mysqld] section of ‘/etc/my.cnf‘:
If, for some reason, remote access to the database is still required (e.g. to perform remote data backup), the SSH protocol can be used to connect to the server and execute a command locally, for example to create a backup you could type:
> backup
Administer your MySQL server
You will need to administer your server, you could use the Terminal commands but that is a bit tedious. There are nice administration tools available even from MySQL, or web based like phpMyAdmin. The installation of the MySQL administrator is just like a regular application, the installation of phpMyAdmin will be discussed elsewhere because you need to install PHP first.
Next step: Installing Apache
7:56 am
So I have to impose on your goodwill one more time, and ask if you’ve ever seen this:
I got MySQL 5.0.33 up and running. PHP/Apache was fine. Then I went to test Wildfire (I am testing this as a jabber/XMPP chat server – the key thing here is it it’s entirely Java-bases and uses the java connector to MySQL). It refused to connect to the MtSQL server at all. Simply saying connection refused.
I re-commented the ’skip-networking’ line in my.cnf (thinking it was looking for a port 3306 connection to localhost – no good.
Eventually, I just deleted my.cnf completely, and restarted the MySQL server.
Everything worked fine.
I’m at a loss. I’d appreciate any thoughts on where to look for this one…
I like the idea of limiting access, and I think I can do a bind to 127.0.0.1 so localhost only will work (???) but this seemed odd.
Thanks!!
8:01 pm
oops…I have to take that back. That I’ve since discovered is a bug in Wildfire (when you restart the mysql server you have to log in an out of an IM account before it will let you log in as admin…I’ll pass that to them).
Although, the
bind-address 127.0.0.1
worked really well. I makes sure I can use ‘localhost’ as the server identifier when needed, and that no one else can connect.
Now, I’d love to have the ability to bind to only selected addresses…but more than one. I’m posting this at mysql.com since it gives me the ability to set a private IP address (the mac can have multiple IP addresses on one ethernet connection) so other Macs within my network can connect.
Thanks for all your help, and I hope some of the information I’ve provided here adds to someone’s knowledge
9:41 am
thanks for posting all this info,
I am somewhat new to all that is server.
re: mysql – securing:
when I attempt the command – mysql> use mysql;
i receive – ERROR 1044 (42000): Access denied for user ”@’localhost’ to database ‘mysql’
is this good? if not how do I remedy?
I created my .bash_profile after compiling . . . I did create a file called .bashrc [PATH=${PATH}:/usr/local/mysql/bin] before compiling as per MySQL documentation (this didn’t get me into mysql though – so I created the .bash_profile) – this was my only deviation from your methodology
cheers.
5:38 pm
So if skip-networking is used what do I use for MySQL’s gui tools to log in to the DB?
8:25 pm
You can’t use the GUI tools to access the database if you use the skip networking option. If you want access using the GUI tools you should also remember that this is a security risk.
1:23 am
In regards to Daniel and ERROR 1044, you should be able to get the “use mysql;” line working if you log into mysql as root: enter the command “mysql -u root -p” at the terminal, instead of just “mysql”. The default password is blank I believe so just hit enter. I had the same problem, but this fixed it for me.
10:35 am
I followed all your steps, but when i run “mysql> use mysql;”
I get the following error
ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2)
Can you help me resolve this problem?
Thank you
11:38 am
Is the socket file there and are you sure MySQL is running ?
12:56 pm
MySQL is running, and I don’t know where to find the directory /tmp/mysql.sock
5:03 am
I was also having an issue with not mysql not finding or creating the socket file on a 64bit leopard compile, but I resolved it by reinstalling the 5.0.77 64bit binary file (the DMG archive with the pref pane) and then recompiling from the 5.0.77 source.
Works great now. Many thanks to this site.
6:33 pm
You can use navicat mysql and other GUI tools instead of MySQL ones or even PHPmyadmin and still use skip-networking. I really use a mix of terminal/navicat and phpmyadmin and all works fine with skip-networking used. The MySQL tools are okay but there is better ways.
10:15 pm
Missed a few steps in the tutorial. Took me some time to figure out (being a newbie and all)
When no datadir is installed, go to source directory (where you untarred your downloaded mysql source)
and do in terminal (without the > sign of course):
> sudo scripts/mysql_install_db –user=mysql
then you have your data dir installed.
Next do mysql from terminal. How?
> sudo su
(osx asks for pw)
Navigate to ../mysql/bin directory
Start mysql server
> ./mysqld_safe –user=mysql &
Get mysql prompt type:
> ./mysql
Than move on with this great tutorial.
Done?
mysql> exit
and you’re back in terminal mode.
Hope this helps.
Many thanks to RIchard and this great site.
6:58 pm
Hi,
I noticed a possible msql syntax error above in the second block:
mysql> delete from user where User = ”;I think the double quotes should be two single quotes, and there should not be a space between the = sign and the first single quote. Or is this just the way my browser renders the two single quotes?
7:59 pm
David, thnaks for pointing out this error. It has bee ncaused by an unfortunate error during a Wordpress upgrade. Most of them were corrected and I had missed this one. There should be two single quotes (or two double quotes). The space is not a problem.
7:37 pm
I’m not sure where the /etc/my.cnf goes? I don’t see a etc folder anywhere, where do I create it at? In the support-files folder?
7:41 pm
The folder you need to put this file “my.cnf” in is in the directory /etc or /private/etc. You won’t see this folder in the Finder, you will need to use the Terminal.
3:22 am
Just a small thing.
“Copy the example configuration file from the MySQL source, ‘/usr/local/mysql/support-files/my-medium.cnf‘, to ‘/etc/my.cnf‘ and set the appropriate permissions”
should read
“Copy the example configuration in the MySQL source files, ‘./support-files/my-medium.cnf‘, to ‘/etc/my.cnf‘ and set the appropriate permissions”
or something like that. It’s not in the /usr/local directory.
Thanks for a great site.
Jeff
12:36 pm
Thanks Jeffrey I will correct this!
11:02 am
I changed the root password and name and now I cant login, keeps telling me access denied. I cant even login using root. Is their a way to reset back to do over??? I tried reinstalling and that didnt work. Thanks.
8:06 pm
@Roberto, please follow the instructions as documented here: http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html#resetting-permissions-unix
11:10 pm
Checking now, thanks again Richard your extremely helpful.