Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd mysql
useradd -d /dev/null -g mysql -s /bin/false mysql
- Download MySQL server and client RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/ - Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Install the MySQL packages:
rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
- Delete the MySQL source files:
rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
- Run the commands bellow to set ownership and permissions:
chown -R root /usr/bin/mysql*
chown -R mysql:root /var/lib/mysql
chmod -R go-rwx /var/lib/mysql
mkdir -p /var/log/mysql
chown -R mysql:root /var/log/mysql
- Run the command bellow to copy the main configuration file:
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
- Run the commands bellow to remove default folder:
rm -rf /var/lib/mysql/test
rm -f /usr/share/mysql/*.cnf
- Run the command bellow to set ownership and permissions for my.cnf file:
chown root /etc/my.cnf
chmod 644 /etc/my.cnf
- Edit using VI, the file /etc/my.cnf
Add the strings bellow under the [mysqld] section
pid-file = /var/lib/mysql/mysqld.pid
Add the section bellow:
log = /var/log/mysql/mysql.log
bind-address = 127.0.0.1
[safe_mysqld]
err-log = /var/log/mysql/mysql.err
- Run the command bellow to restart the target server:
reboot
- Login to the server using Root account.
- Run the commands bellow to set password for the MySQL root user:
/usr/bin/mysqladmin -u root password 'new-password'
Note 1: Specify complex password (at least 14 characters) and document it.
/usr/bin/mysqladmin -u root -h hostname password 'new-password'
Note 2: Replace “hostname” with the server FQDN (DNS name) - Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use mysql;
DELETE FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DROP DATABASE test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
quit
- Run the command bellow to stop the MySQL service:
/etc/init.d/mysql stop
- Run the command bellow to start the MySQL service:
/etc/init.d/mysql start