How to Securely Install MySQL on Linux
Securing a MySQL database is critical for protecting sensitive data from unauthorized access, breaches, and potential exploits. This guide provides a step-by-step walkthrough for performing a secure installation of MySQL on a Linux server. It covers updating system repositories, installing the MySQL package, running the built-in security script, configuring firewall rules, and implementing best practices for database user management.
Step 1: Update the System Package Repository
Before installing any new software, update your system’s package repository to ensure you are downloading the latest security patches and software versions.
On Debian or Ubuntu systems:
sudo apt update && sudo apt upgrade -yOn RHEL, CentOS, or Rocky Linux systems:
sudo dnf update -yStep 2: Install MySQL Server
Install the official MySQL server package using your distribution’s package manager.
On Debian or Ubuntu:
sudo apt install mysql-server -yOn RHEL, CentOS, or Rocky Linux:
sudo dnf install mysql-server -yOnce the installation is complete, start the MySQL service and enable it to launch automatically upon system boot:
sudo systemctl start mysql
sudo systemctl enable mysql(Note: On RHEL-based systems, the service name may be
mysqld instead of mysql.)
Step 3: Run the MySQL Secure Installation Script
MySQL includes a built-in security script that automates several essential hardening steps. Run this script by executing:
sudo mysql_secure_installationThe script will prompt you to configure the following settings:
- VALIDATE PASSWORD COMPONENT: Enable this option to enforce strong password policies for all database users. Choose the level of validation (Low, Medium, or Strong) based on your security requirements.
- Set Root Password: Define a strong password for the MySQL root administrative user.
- Remove Anonymous Users: Disallow connections from anonymous users to ensure all connections require explicit authentication.
- Disallow Root Login Remotely: Restrict the root
user to local connections (
localhost) only. This prevents attackers from attempting to brute-force the root password over the network. - Remove Test Database: Delete the default “test” database, which is accessible to anyone by default, along with any privileges associated with it.
- Reload Privilege Tables: Apply the changes immediately.
Step 4: Configure the Firewall
By default, MySQL listens on port 3306. To protect your database from external scanning and unauthorized connection attempts, configure your firewall to block public access to this port.
If you require remote access, allow traffic only from specific, trusted IP addresses.
On Ubuntu/Debian using UFW (Uncomplicated Firewall):
# Block all external access to port 3306 by default
sudo ufw deny 3306/tcp
# Allow access only from a specific trusted IP address
sudo ufw allow from trusted_ip_address to any port 3306 proto tcp
sudo ufw reloadOn RHEL/Rocky Linux using Firewalld:
# Create a rich rule to allow access only from a specific IP
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="trusted_ip_address" port protocol="tcp" port="3306" accept'
sudo firewall-cmd --reloadStep 5: Implement Secure User Management
Never use the MySQL root account for daily application operations. Instead, create dedicated database users with restricted privileges tailored to their specific tasks.
Log into the MySQL command line as root:
sudo mysql -u root -pCreate a new user with a strong password:
CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'Strong_Password_Here';Grant only the minimum required privileges to the new user on the specific database:
GRANT SELECT, INSERT, UPDATE, DELETE ON target_database.* TO 'app_user'@'localhost';Flush the privileges to apply the changes and exit:
FLUSH PRIVILEGES;
EXIT;