Skip to main content
Security & Cloud 24/7

Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

·328 words·2 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.
  1. Login to the server using Root account.
  2. Create a new account: groupadd mysql useradd -d /dev/null -g mysql -s /bin/false mysql
  3. Download MySQL server and client RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
  4. Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
  5. Move to /tmp cd /tmp
  6. Install the MySQL packages: rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
  7. Delete the MySQL source files: rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
  8. Run the commands bellow to set ownership and permissions: chown -R root /usr/bin/mysql* chown -R mysql:root /var/lib/mysql chmod -R go-rwx /var/lib/mysql mkdir -p /var/log/mysql chown -R mysql:root /var/log/mysql
  9. Run the command bellow to copy the main configuration file: cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
  10. Run the commands bellow to remove default folder: rm -rf /var/lib/mysql/test rm -f /usr/share/mysql/*.cnf
  11. Run the command bellow to set ownership and permissions for my.cnf file: chown root /etc/my.cnf chmod 644 /etc/my.cnf
  12. Edit using VI, the file /etc/my.cnf Add the strings bellow under the \[mysqld\]section pid-file = /var/lib/mysql/mysqld.pid log = /var/log/mysql/mysql.log bind-address = 127.0.0.1 Add the section bellow: [safe_mysqld] err-log = /var/log/mysql/mysql.err
  13. Run the command bellow to restart the target server: reboot
  14. Login to the server using Root account.
  15. Run the commands bellow to set password for the MySQL root user: /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h hostname password 'new-password' Note 1: Specify complex password (at least 14 characters) and document it. Note 2: Replace “hostname” with the server FQDN (DNS name)
  16. Run the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account.
  17. Run the following commands from the MySQL prompt: use mysql; DELETE FROM mysql.user WHERE user = ''; DELETE FROM mysql.user WHERE user = 'root' AND host = '%'; DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; DROP DATABASE test; DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; FLUSH PRIVILEGES; quit
  18. Run the command bellow to stop the MySQL service: /etc/init.d/mysql stop
  19. Run the command bellow to start the MySQL service: /etc/init.d/mysql start