BestHub
Sign in
Information Security 8 min read

Essential Linux MySQL/MariaDB Security Practices Every Admin Should Follow

This guide outlines twelve practical steps to harden MySQL and MariaDB on Linux, covering secure installation, network binding, disabling unsafe features, changing defaults, enabling logging, proper permissions, history cleanup, safe credential handling, application‑specific users, security plugins, password rotation, and regular package updates.

Programmer DD
Programmer DD
Programmer DD
Essential Linux MySQL/MariaDB Security Practices Every Admin Should Follow

1. Secure MySQL Installation

After installing MySQL/MariaDB, run # mysql_secure_installation to set a root password, disable remote root login, and remove anonymous users and test databases.

Secure installation UI
Secure installation UI

2. Bind Server to Loopback Address

Edit the server’s main configuration file ( /etc/my.cnf for RHEL/CentOS or /etc/mysql/my.cnf for Debian/Ubuntu) and add the line bind-address = 127.0.0.1 under the [mysqld] section so the server only accepts local connections.

3. Disable LOCAL INFILE

Set local-infile=0 in the [mysqld] section to prevent the server from reading files from the client’s filesystem.

4. Change Default Port

Modify the port variable in the [mysqld] section, e.g., Port=5000, to move away from the default 3306.

5. Enable Logging

Add a log file path, for example log=/var/log/mysql.log, to the [mysqld] section to record server activity.

6. Set Proper File Permissions

Restrict configuration file access so only root can modify it, e.g., # chmod 644 /etc/my.cnf.

7. Clear MySQL Shell History

Empty the history file with # cat /dev/null > ~/.mysql_history to remove stored commands and passwords.

8. Avoid Passwords on Command Line

Do not invoke MySQL with a password on the command line (e.g., # mysql -u root -ppassword_). Instead use # mysql -u root -p and enter the password when prompted.

Password entry UI
Password entry UI

9. Create Application‑Specific Users

For each application, create a dedicated database user, grant only the necessary privileges, and flush privileges. Example:

# mysql -u root -p
CREATE DATABASE osclass_db;
CREATE USER 'osclassdmin'@'localhost' IDENTIFIED BY 'osclass@dmin%!2';
GRANT ALL PRIVILEGES ON osclass_db.* TO 'osclassdmin'@'localhost';
FLUSH PRIVILEGES;
exit;

10. Use Security Plugins

MySQL includes built‑in security plugins for authentication, password verification, and secure storage of sensitive information. Refer to the official documentation for a full list.

11. Rotate Passwords Regularly

Periodically update passwords with an UPDATE statement and flush privileges, for example:

USE mysql;
UPDATE user SET password=PASSWORD('YourPasswordHere') WHERE User='root' AND Host='localhost';
FLUSH PRIVILEGES;

12. Keep Server Packages Updated

Regularly run the appropriate package manager commands ( # yum update or # apt update) and restart the service after any changes ( # systemctl restart mariadb for RHEL/CentOS, # systemctl restart mysql for Debian/Ubuntu).

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxBest PracticesMySQLsecurityMariaDBDatabase Hardening
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment