MySQL is a free, easy-to-use database server that supports multiple databases and tables, and allows clients to query them with SQL. This cheat-sheet shows how to secure MySQL in a few simple steps.
Change MySQL root password
First step to secure MySQL is changing the database superuser password, which is empty by default:
mysql> UPDATE mysql.user SET Password=PASSWORD('pa$$w0rD') WHERE User='root';
Remove unneeded databases and users
Next, remove test database:
mysql> DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; mysql> DROP DATABASE test;
and users:
mysql> DELETE FROM mysql.user WHERE User='root' AND Host != 'localhost'; mysql> DELETE FROM mysql.user WHERE user = '';
Finally, reload MySQL privilege information to make above changes to take effect:
mysql> FLUSH PRIVILEGES;
Improve local security
MySQL config file contains several directives that can help to avoid some types of attacks. Open it and change the following values in [mysqld] section:
bind-address=127.0.0.1 local-infile=0 # avoid some Denial of Service attacks max_user_connections=256 max_connect_error=4
bind-address
Make MySQL to listen for TCP/IP connections only locally on the loop-back interface.
local-infile
Prevents against unauthorized reading from local files, useful to avoid SQL injection attacks.
max_user_connections
The maximum number of simultaneous connections allowed for a single user
max_connect_error
Block a host after this many unsuccessful connection attempts. This is especially helpful against a dictionary-based password attack. You can unblock blocked hosts with the FLUSH HOSTS statement.
Install a database firewall
GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. It works as a proxy and has built-in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL provides MySQL database security solution