Last night while setting up a MySQL server to my lazy friend and while sitting there I just decided that I was going to make a post on how I configure and set up MySQL.
I guess there are people out there that haven’t yet realized the security aspect that has to be considered after installing the server.
Of course like with everything else you should run MySQL in a chrooted environment, I however didn’t do that this time as the server was set up on a virtual machine.
If a breach would occur in this virtual space the attacker would only be able to harm the virtual machine and be of no risk to the real system, thus chrooting in this case seems like a waste of time, however if you’re running it all on a non-virtual system then chrooting is a most!
Virtual machine or normal system, nevertheless the security issues has to be dealt with anyway.
I mean hacks that could be prevented are just pure waste of time and remember time is precious, so do one thing thorough from the start instead of having to spend a lot of time on it later!
Right from the compilation or install we have some important issues that have to be dealt with.
1. No password on the root user
2. There is a standard anonymous user
3. The server is accessible from outside
This is easily fixed and if you don’t know how to fix these issues don’t worry just hit the following commands; first up is setting a password for the root user
mysqladmin –u root password ‘the-new-password’
Now enter the MySQL monitor, and as you notice you need to enter a password to get access this time around.
Now when we are inside let’s remove the anonymous user and the test database:
drop database test;
use mysql
delete from user where User=’’;
quit
For the changes to take effect we need to reload MySQL, but we will be enabling binary logging so just shut down MySQL for now.
mysqladmin –u root –p shutdown
In your MySQL option file enter the following option
[mysqld]
log-bin
If you don’t have an option file yet, just create one for now, put it in /etc/ and call it my.cnf, remember to put it in the right place, if chrooted put it in that directory!
Now start MySQL by running mysqld_safe instead!
Also you should consider changing the name of the root user, just to make it harder to guess the name of that user! At this point you should also set the correct privileges on the files to prevent unwanted users to be able to use certain files or services!
Let’s jump to making it inaccessible from outside, this step should always be done, however there are situations where this can’t be done, like for example the server is located on another computer. However most servers run pretty much everything on the same box thus this is still an important step.
What you need to do is to only let connection come from localhost, of course we need to disable MySQL to listen on port 3306. This is done in the option file and when editing it lets configure some other things too;
my.cfg
//Turn of network connections, no incoming connection from outside
skip-networking//Disable the use of DATA LOAD LOCAL INFILE command, prevent reading local files
set-variable=local-infile=0/*if you’re in a chrooted environment it’s also a good idea to change the following, to not having to supply this in every command to mysql */
socket = /path-to-where-it-is-chrooted/mysql.sock
Well now we are pretty much done; now this will increase your security but cannot guarantee that nothing bad will happen, so do not forget to make backups on regular bases!
That’s all for now!
Leave a Reply