MySQL in production: looking for security?
By Thierry Manfe on Aug 28, 2008
You finished the development phase of your project, and you are now heading to put it in production. This means that your web-site will be soon on-line, visible on the Internet, and may become a potential target for attacks.
During development, you have been using MySQL on your laptop, and since you are the only one accessing your laptop you used the default configuration as-is. You are perfectly right in doing that, in fact MySQL is pretty secure by default, but here are a set of post-installation best practices to bring MySQL security to the next level.
$ mysql -u root mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('new_password');
2) If they exist, remove the MySQL anonymous account - or assign a password to it - and the test database. The anonymous user has limited privileges and should only be able to access the test database. Yet, the test database could be filled with unnecessary data that would consume disk space
mysql> DROP DATABASE test;
Query OK, 0 rows affected (0.07 sec)
mysql> DELETE FROM mysql.user WHERE User='';
Query OK, 0 rows affected (0.00 sec)
3) The mysql_secure_installation script does all of the above for you
4) If you need remote access to MySQL, if possible limit the remote access to a specific host. Do this by assigning the IP address of the host to the bind-address option in the my.cnf file located in /etc/mysql. If you want to limit the access to the local host, set the skip-networking option in my.cnf
I will be posting more on that soon. Stay tune...