MySQL is a kind of database management system and it is widely used in servers and especially for web servers with cPanel or Plesk installed. Server security is an inevitable aspect of server management and securing MySQL is imperative.
For cPanel server, MySQL is pre-installed. MySQL is very robust and widely used in many CMS applications in web server such as WordPress, Joomla, Magento and so on.
Basic Security Options
1. Install CSF ( Config Server Firewall ) and block the MySQL outgoing port globally, so that if anyone needs to connect to our MySQL server, we can enable this 3306 port separately in csf configurations.
2. Mysql root password is stored in /root/.my.cnf file.
password=”mysqlrootpassword”
user=root
If you type the below command and if you are able to access MySQL server without prompting MySQL password, then this is because the MySQL password is stored in /root/.my.cnf.
myserver@root# mysql-u root
mysql>
Thus, its always better to save this password somewhere else and delete the entries in that file.
3. cPanel default script
Once you install cPanel, its always better to run the following script
/scripts/securemysql
This command will execute a lot of inbuilt commands specified in this script and do the following
- It will remove any anonymous users.
- It will expel the test database.
- It will remove global lock tables and make tmp table benefits from clients.
- It will evacuate remote root login.
- It will expel shaky swarm login and benefits.
- It will evacuate crowd clients with a clear secret key.
This command will check the permissions of the directory /var/lib/MySQL has been set correctly (This is the MySQL database directory and this should own by the user MySQL)
4. Password policy in WHM
Providing a secure password for all MySQL users is imperative and it will harden the security of MySQL server.
MySQL usually stores all users data in the table mysql user, and we should not give access to this table to any non-administrative users.
WHM >> Home >> Security Center >> Password Strength Configuration
Here you can increase the password strength for MySQL users.
Tweaking system variables
The default MySQL configuration file is /etc/my.cnf. An administrator can set certain system variables to set MySQL server
skip-name-resolve
This is a global scope variable and while this directive is set, this will not resolve hostname while checking client connections.
local-infile
local-infile=0 in /etc/my.cnf
if this directive not disabled like above, anyone can load a file that is located on the server host by using LOCAL in LOAD DATA statements.
skip-show-database
This is a global scope variable and once it enabled in the my.cnf file, the show database command will be disabled entirely. It will improve security as it will reduce the chances of any intruders to get information remotely by this MySQL command
Other practices
1. Disable MySQL history file.
The MySQL client writes all executed commands in .mysql_history located in user’s home directory. This is a hidden file. This is dangerous as because it usually contains passwords as well as commands associated with MySQL. Running the below command will fix the issue.
ln -sf/dev/null ~/.mysql_history
2. If you do not need remote access to the MySQL server, it’s better to disable MySQL from listening to TCP port 3306 connections. open my.cnf file and add, skip-networking
These are the common methods available to secure MySQL on cPanel installed servers.