Secure existing MySQL installation

MySQL is a free, easy-to-use database server that supports multiple databases and tables, and allows clients to query them with SQL. This cheat-sheet shows how to secure MySQL in a few simple steps.

Change MySQL root password

First step to secure MySQL is changing the database superuser password, which is empty by default:

mysql> UPDATE mysql.user SET Password=PASSWORD('pa$$w0rD') WHERE User='root';

Remove unneeded databases and users

Next, remove test database:

mysql> DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
mysql> DROP DATABASE test;

and users:

mysql> DELETE FROM mysql.user WHERE User='root' AND Host != 'localhost';
mysql> DELETE FROM mysql.user WHERE user = '';

Finally, reload MySQL privilege information to make above changes to take effect:


Improve local security

MySQL config file contains several directives that can help to avoid some types of attacks. Open it and change the following values in [mysqld] section:


# avoid some Denial of Service attacks

Make MySQL to listen for TCP/IP connections only locally on the loop-back interface.

Prevents against unauthorized reading from local files, useful to avoid SQL injection attacks.

The maximum number of simultaneous connections allowed for a single user

Block a host after this many unsuccessful connection attempts. This is especially helpful against a dictionary-based password attack. You can unblock blocked hosts with the FLUSH HOSTS statement.

Install a database firewall

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. It works as a proxy and has built-in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL provides MySQL database security solution