web analytics

Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd mysql
    useradd -d /dev/null -g mysql -s /bin/false mysql
  3. Download MySQL server and client RPM from:
    http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
  4. Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
  5. Move to /tmp
    cd /tmp
  6. Install the MySQL packages:
    rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
    rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
  7. Delete the MySQL source files:
    rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
    rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
  8. Run the commands bellow to set ownership and permissions:
    chown -R root /usr/bin/mysql*
    chown -R mysql:root /var/lib/mysql
    chmod -R go-rwx /var/lib/mysql
    mkdir -p /var/log/mysql
    chown -R mysql:root /var/log/mysql
  9. Run the command bellow to copy the main configuration file:
    cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
  10. Run the commands bellow to remove default folder:
    rm -rf /var/lib/mysql/test
    rm -f /usr/share/mysql/*.cnf
  11. Run the command bellow to set ownership and permissions for my.cnf file:
    chown root /etc/my.cnf
    chmod 644 /etc/my.cnf
  12. Edit using VI, the file /etc/my.cnf
    Add the strings bellow under the [mysqld] section
    pid-file = /var/lib/mysql/mysqld.pid
    log = /var/log/mysql/mysql.log
    bind-address = 127.0.0.1
    Add the section bellow:
    [safe_mysqld]
    err-log = /var/log/mysql/mysql.err
  13. Run the command bellow to restart the target server:
    reboot
  14. Login to the server using Root account.
  15. Run the commands bellow to set password for the MySQL root user:
    /usr/bin/mysqladmin -u root password 'new-password'
    /usr/bin/mysqladmin -u root -h hostname password 'new-password'
    Note 1: Specify complex password (at least 14 characters) and document it.
    Note 2: Replace “hostname” with the server FQDN (DNS name)
  16. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
    Note: Replace the string “new-password” with the actual password for the root account.
  17. Run the following commands from the MySQL prompt:
    use mysql;
    DELETE FROM mysql.user WHERE user = '';
    DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
    DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
    DROP DATABASE test;
    DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
    FLUSH PRIVILEGES;
    quit
  18. Run the command bellow to stop the MySQL service:
    /etc/init.d/mysql stop
  19. Run the command bellow to start the MySQL service:
    /etc/init.d/mysql start

4 Responses to “Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)”

Leave a Reply