# mySQL/Security

mySQL is easily one of the most popular databases in use today, but awareness of proper deployment procedures hasn't kept up with its popularity.

So here are a few basic mySQL security tips:

### Limit TCP connections to localhost

Clients can talk to mySQL via a local UNIX domain socket (usually /var/lib/mysql/mysql.sock) or TCP/IP via port 3306. However, out of the box, most mySQL installations allow access from any host, and this must be fixed in /etc/my.cnf (in RedHat 8.0 and 9.0 firewall rules block incoming TCP traffic to most ports, but I'd rather make sure things are properly secure at all levels).

To limit access to the local machine only, bind the mysqld to 127.0.0.1. You can also change the TCP port (I like to declare it explicitly, even if I'm using the default):

[mysqld]
socket=/var/lib/mysql/mysql.sock
port=3306

[mysql.server]
user=mysql
basedir=/var/lib

[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

This should be mandatory upon install (and actually is enforced by install scripts in some distros), but here goes:

# mysqladmin -u root password <the new password>

### Get rid of non-essential users and databases

Drop the test database and remove the %@localhost grants - leave only [email protected] in:

# mysql -u root -p
mysql> flush privileges;