Basic MySql Security

I am migrating my wordpress blogs to Linode from shared hosting.

I managed to use the command line to copy over my databases, and I have implemented the general security tips

  • disallow password authentication

  • fail2ban

  • disallow root logins in my main apache config.

  • changed the default SSH port (although I see that some people don't think this is necessary).

  • ufw firewall only allowing my SSH port, 80, and 443.

But - what should I be doing in terms of MySql security specifically?

When I first set up my Linode using the LAMP stackscript, I used root as the user and I'm wondering if I need to change this, and how to do this safely.

I want to be able to use the automatic database backup plugin in Wordpress, and I have Linode backups turned on, but otherwise no one needs any access to my Linode other than me from my local machine at my home static IP.

I'm a supernewbie and I'd really appreciate some advice.

Thanks!

2 Replies

Probably the main thing is to make sure MySQL is not listening for outside connections. You can check like so:

# netstat -lvnut
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:3306              0.0.0.0:*                   LISTEN      4821/mysqld
...

If you see 127.0.0.1:3306 (or the IPv6 equivalent, can't remember what it is right now) in the Local Address column, then MySQL is only listening on the loopback interface. If you see 0.0.0.0:3306 (or :::3306), it is accepting connections from the outside world and you should change bind-address.

If you don't see it in the netstat output, then MySQL is probably using a UNIX socket (you can check with netstat -lvpn –protocol=unix) which is not open to the outside.

Cool - thanks. I ran it and its not accepting outside connections so that's looking good.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct