How to Secure MySQL Databases on Linux VPS


MySQL is a popular open-source database management system used for various purposes such as data warehousing, e-commerce, application logging and more. Most users choose this software for their websites, especially those that run them on Linux servers. However, if it’s configured incorrectly, this program can become a security liability for its users. That’s why it’s necessary to properly set up the databases on this system. There are a few steps that everyone can take to achieve greater protection for their MySQL database on Linux VPS.

The initial setup

The first move can be done when the program is being installed for the first time. Secure your administration account from the very beginning by changing the root password. By doing this, users achieve a few things:

  • the ability for anyone to log into MySQL by default is disabled,
  • logging in remotely with the administrator account id turned off,
  • insecure test databases are removed,
  • running MySQL instances are updated to reflect these changes.

Even these simple things ensure a higher level of protection to the program and all its components.

Configuring the My.cnf file

This is the main configuration file of this software. It’s located in the “/etc/mysql/” directory on Ubuntu and in the “/etc/” directory on some other Linux VPS. Some settings can be changed to achieve greater security. Users should:

  1. Open the file with root privileges,
  2. Change the directory path to “sudo nano /etc/mysql/my.cnf” if this is being done on another system,
  3. Check the “bind-address” setting within the “[mysqld]” section,
  4. Set it to your local loopback network device.

This ensures that MySQL is accepting only the connections from the local machine and not anywhere else. If you need to enter the database from another place, this can be done through SSH. The next step is to disable the feature that allows access to the underlying filesystem from within the software. In the same file, add the “local-infile=0” directive which shuts off the ability to load local files. This means that users without file-level privileges can’t load the database.

Securing MySQL from within

Another step to better protect MySQL on Linux VPS is to make some changes in the program itself. These are:

  • Securing passwords and host associations. Make sure that there are no users without these two things. To set a password, enter the command “UPDATE” and write “mysql.user SET Password=PASSWORD(‘newpassword’) WHERE User=”username”;” next to it. Next, you need to change the host. Do this by entering the “UPDATE” command and writing “mysql.user SET Host=’localhost’ WHERE User=”username”;” after. Any blank accounts can be removed by typing the “DELETE FROM mysql.user WHERE User=””;” code. To implement these new permissions, write “FLUSH PRIVILEGES;”.
  • Implementing application-specific users. Each application that uses this software should have its separate user with limited privileges. Assign each account only the accesses it needs. This can vary case by case as some uses need more permissions than others on the Linux VPS and MySQL system. To create a new user, use the “CREATE USER ‘username’@’localhost’ IDENTIFIED BY ‘password’;” command. Grant them privileges by typing “GRANT SELECT,UPDATE,DELETE ON databasename.* TO ‘username’@’localhost’;”.
  • Changing the root user. It can be changed with the “rename user ‘root’@’localhost’ to ‘newAdminUser’@’localhost’;” command. Doing this is beneficial as when a hacker is trying to access the MySQL root login, they will have to do additional stuff to find the username. Flush privileges again to implement the changes.

And these are just a few simple modifications that can be done from within the software itself.

Although there are more ways to secure MySQL databases, these are used most. They are a great introduction to the type of measures users should take to ensure the protection of their data, websites and Linux VPS servers. If the environment is unsafe, it’s vulnerable and easily exploitable by attackers, which is a risk most users and companies cannot take.

Related Articles

Back to top button