3.7 Security Considerations for the MySQL Configuration

Consider the security measures in this section when working with MySQL.

3.7.1 MySQL Ports

MySQL uses port 3306 by default. Additional ports are assigned sequentially as 3307, 3308, and so on. These ports must be open in the firewall in order to allow remote access to the MySQL database.

3.7.2 Securing MySQL

The default installation of MySQL provides some configuration settings, an anonymous user, and the test database that can possibly compromise security in a production environment:

  • The root user can connect from the local host or remotely.

  • An anonymous user is also created and can connect from the local host or remotely.

  • Any local user on the server can connect to the test database without a password and be treated as the anonymous user.

  • The anonymous user can perform any function on any databases named test or with a name that begins with test_.

For production servers, we recommend that you secure your MySQL service by setting a password for the MySQL root user. This is a password for the MySQL administrator user, that is, a root user within the MySQL system. It is not the Linux root user.

  1. To set the password and log in to MySQL on the server, enter the following commands:

    /usr/bin/mysqladmin -u root password <new_password>
    
    /usr/bin/mysqladmin -u root -h <server_fdn_name> password <new_password>

    For example:

    /usr/bin/mysqladmin -u root password novell
    /usr/bin/mysqladmin -u root -h myserver1.europe.example.com password novell

Alternatively, you can run the mysql_secure_installation command as the Linux root user, complete the fields that make sense for your MySQL configuration, then use:

/usr/bin/mysql_secure_installation

We recommend that you configure the following secure settings:

  • Set a password for the MySQL root user.

  • Remove MySQL anonymous users.

  • Disallow remote login for the MySQL root user.

    The MySQL root user is allowed to connect to the database, but only from the local host.

  • Remove the test database.

  • Reload the Privileges table.