Improve MySQL Installation Security using mysql_secure_installation

January 16, 2021
()

Improve MySQL Installation Security using mysql_secure_installation

In this article, we are going to demonstrate Security in MySql. mysql_secure_installation program enables you to improve the security of your MySQL installation in the following ways:

  • You can set a password for root accounts.
  • You can remove root accounts that are accessible from outside the localhost.
  • You can remove anonymous-user accounts.
  • You can remove the test database (which by default can be accessed by all users, even anonymous users), and privileges that permit anyone to access databases with names that start with test_.

mysql_secure_installation utility check if validate_password plugin is installed ?. If not installed, prompts the user whether to install it. Any passwords entered later are checked using the plugin if it is enabled. Click here to read more about the validate_password plugin.


Before execute mysql_secure_installation utility makes sure the parameter plugin_dir is set to the correct location and file. component_validate_password.so exist in plugin_dir. Please note here validate_password plugin is not configured because MySql instance was configured manually using binaries tar. Click here to read about How to configure mysql instance manually using binaries tar

mysql> show variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| plugin_dir    | /u01/mysql-8/lib/plugin/ |
+---------------+--------------------------+
1 row in set (0.01 sec)

mysql> system ls -ltr /u01/mysql-8/lib/plugin/component_validate_password.so
-rwxr-xr-x. 1 mysql mysql 259704 Sep 23 22:21 /u01/mysql-8/lib/plugin/component_validate_password.so
mysql>
mysql> show variables like '%validate_password%';
Empty set (0.00 sec)

mysql>


Now we are good to execute mysql_secure_installation. Please note I am using -S (sock file ) option as I am connecting to the 2nd instance of MySql server which is running on non-default port 3307.

[root@test-machine02 lib]#  mysql_secure_installation -hlocalhost -uroot -p -S/u01/mysql-2/mysql.sock
Enter password:

Securing the MySQL server deployment.


VALIDATE PASSWORD COMPONENT can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD component?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
Using existing password for root.

Estimated strength of the password: 100
Change the password for root ? ((Press y|Y for Yes, any other key for No) : n

 ... skipping.
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done!
[root@test-machine02 lib]#


mysql> show variables like '%validate_password%';
+--------------------------------------+--------+
| Variable_name                        | Value  |
+--------------------------------------+--------+
| validate_password.check_user_name    | ON     |
| validate_password.dictionary_file    |        |
| validate_password.length             | 8      |
| validate_password.mixed_case_count   | 1      |
| validate_password.number_count       | 1      |
| validate_password.policy             | MEDIUM |
| validate_password.special_char_count | 1      |
+--------------------------------------+--------+
7 rows in set (0.00 sec)

mysql>


Reference : https://dev.mysql.com/doc/refman/8.0/en/mysql-secure-installation.html


This document is only for learning purpose and always validate in the LAB environment first before applying in the LIVE environment.


Hope so you like this article!
Please share your valuable feedback/comments/subscribe and follow us below and don’t forget to click on the bell icon to get the latest update. Click here to know more about our pursuit.

Loading

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Jamsher Khan

🌐

Hello and welcome to DBsGuru,I’m Jamsher Khan working as Senior Oracle DBA based in KSA-Jeddah, I have working experience in Oracle DBA, SQL Server, MySql, PostgreSQL, Linux, Golden Gate, ODA.Thanks for the visits!Share Learn Grow!

Leave a Reply

Your email address will not be published. Required fields are marked *