Richard
The MySQL binary installation package takes care of most of the things automatically but we still need to do some extra manual steps to make sure that our MySQL database is safe from outside attacks as it is going to be on a server directly connected to the internet.
Copy the example configuration file from the MySQL source, ‘/usr/local/mysql/support-files/my-medium.cnf‘, to ‘/etc/my.cnf‘ and set the appropriate permissions:
chmod 644 /etc/my.cnf
Next we need to remove all accounts except the local root account because we don’t need them and they pose a security risk as everyone knows they are there to abuse. Please note that you should only do this if you install a new instance and not if you are upgrading or you will loose all your current users.
Start mysql from the Terminal and enter the following commands:
mysql> use mysql; mysql> delete from db; mysql> delete from user where User = ''; mysql> flush privileges;
This will prevent the database from establishing anonymous connections.
To change the password for the ‘root’ account you can use the following commands from the MySQL terminal:
mysql> update user set Password=PASSWORD('new_password')
where User='root';
mysql> flush privileges;
Don’t forget to flush privileges; to make the privileges take effect.
It is also recommended to change the default name of administrator’s account (root), to a different, harder to guess one. Such a change will make it difficult to perform brute-force and dictionary attacks on the administrator’s password. In this case the intruder will have to guess not only the password, but first and foremost, the name of the administrator’s account.
mysql> update user set user="mydbadmin" where user="root"; mysql> flush privileges;
Another change applies to the 3306/tcp port, on which MySQL listens by default. Because, according to the initial assumptions, the database will be only used by locally installed PHP applications, we can freely disable listening on that port. This will limit possibilities of attacking the MySQL database by direct TCP/IP connections from other hosts (This can also be accomplished by blocking this port using the Firewall). Local communication will be still possible through the mysql.sock socket. In order to disable listening on the mentioned port, the following parameter should be added in the [mysqld] section of ‘/etc/my.cnf‘:
skip-networking
If, for some reason, remote access to the database is still required (e.g. to perform remote data backup), the SSH protocol can be used to connect to the server and execute a command locally, for example to create a backup you could type:
otherhost$ ssh mysqlserver /usr/local/mysql/bin/mysqldump -A > backup
Administer your MySQL server
You will need to administer your server, you could use the Terminal commands but that is a bit tedious. There are nice administration tools available even from MySQL, or web based like phpMyAdmin. The installation of the MySQL administrator is just like a regular application, the installation of phpMyAdmin will be discussed elsewhere because you need to install PHP first.
Comments
1:11 am
Something is wrong. I followed these installation instructions after a clean install of Lion. Now I have an install I can’t do anything with and I can’t stop MySQL from System Preferences. Grrrr!
I missed something very, very basic I’m sure.
6:35 pm
How do you start mysql from the command line?
tried:
mysql
result:
ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2)
6:38 pm
@Andrew, use sudo /usr/local/mysql/bin/mysqld_safe
To start it automatically please read: http://diymacserver.com/mamp/lion/starting-mysql-automatically/
3:43 pm
I made a new install (mysql-5.6.10-osx10.7-x86_64). I made the fixes from the installation part…. “path”, “install_name_tool” etc…
But when starting to secure the db, it didn’t allow me to. Permission denied (on serveral err/pid files).
Incase you got the same errors, I found another guide that worked for me: http://blog.mclaughlinsoftware.com/2011/02/10/mac-os-x-mysql-install/
Scroll down to: “Secure the Database”
Basically it’s:
shell> mysql -uroot
mysql> USE mysql;
mysql> SELECT USER, password, host FROM USER\G
(will show all 6 accounts including the 2 empty ones)
mysql > SET PASSWORD FOR ‘root’@'localhost’ = password(‘yourpassword’); SET PASSWORD FOR ‘root’@'MacPro.local’ = password(‘yourpassword’); SET PASSWORD FOR ‘root’@’127.0.0.1′ = password(‘yourpassword’); SET PASSWORD FOR ‘root’@'::1′ = password(‘yourpassword’);
mysql > DROP USER ”@’localhost’; DROP USER ”@’MacPro.local’;
mysql> DELETE FROM USER WHERE LENGTH(USER) = 0;
Re-run:
mysql> SELECT USER, password, host FROM USER\G
(will show 4 users including hashed passwords)
# MacPro.local = name/host of you computer – mine is different, so I had to change that one.
- – -
I also liked the alias section above:
## I never got these to work
#alias mysqlstart=’sudo /Library/StartupItems/MySQLCOM/MySQLCOM start’
#alias mysqlstop=’sudo /Library/StartupItems/MySQLCOM/MySQLCOM stop’
# but these ones does
alias mysqlstart=’sudo /usr/local/mysql/support-files/mysql.server start’
alias mysqlstop=’sudo /usr/local/mysql/support-files/mysql.server stop’
alias mysqlstatus=’ps aux | grep mysql | grep -v grep’
Hope it can help someone…
ยท Eric
(os x 10.7.5, mysql-5.6.10)