MySQL for Linux VPS: how to secure the system

February 10, 2020

This open-source relational database management system is quite popular among those that host websites. It’s free and it offers all the necessary features for running servers and related applications. This software, like many, has certain security measures in place that protect it from various viruses, malware and hacker attacks. While most of the default settings are satisfactory, certain changes can be to better secure this program. There are a few steps every Linux VPS user can take to improve the protection of their MySQL system against intruders.

 

Optimal setting changes

It’s best to secure the software during installation. Users usually set a new password for the root account by using the “mysql_secure_installation” script, disable remote root user logins, and remove anonymous-user accounts. After the initial setup, it’s advised to:

  • Require all MySQL accounts to have a password. The program cannot identify which person is physically running it. Anyone can access it just by invoking it as “mysql -u other_user db_name” if “other_user” has no passcode. When all accounts are password-protected, it’s much harder to connect through them to the system and change the files crucial to it and Linux VPS.
  • Never run the MySQL server as the Unix root user. Any user that has file privilege can create root files, which is dangerous for the software. Mysqld should be run as an ordinary, unprivileged user. Minimize this risk by creating a separate Unix account and use it only for administering MySQL.
  • Encrypt binary and relay log files. Encryption protects sensitive data contained in these from unauthorized viewing and from being misused by potential attackers. To enable this on the software, set the “binlog_encryption” variable to “ON”.

These simple changes will ensure better protection for MySQL and in turn, your Linux VPS servers and applications. Unwanted people won’t be able to access and change any sensitive data.

 

Additional permission settings

There are a few supplementary things that users could do to secure this system and it has to do with permissions and privileges. It’s recommended to practice a couple of methods:

  • Don‘t grant file or process privilege to nonadministrative users. Any user that has these permissions can create and read files in the system or see the server process list and statements issued by others. This is very dangerous as attackers can easily abuse this power to terminate client connections, change server operations, control replication servers and more.
  • Don‘t permit the use of symlinks to tables. Disable this capability with the “—skip-symbolic-links” option. This is crucial if mysqld is run as root because anyone can access and rewrite the server’s data directory and delete any files that are essential to the system and Linux VPS servers.

These privileges should only be granted to a limited number of trusted users to avoid any potential attacks or file deletion.

Securing the MySQL program is quite easier than it looks, all it takes is just these few additional changes to the default settings. They are vital for those that want to avoid any unwanted people from accessing, changing, or erasing sensitive data and other important systems tasks. This ensures better protection of the database and the applications dependent on them, like Linux VPS systems.