LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Securing MySQL (http://www.linuxquestions.org/questions/slackware-14/securing-mysql-4175446545/)

kikinovak 01-21-2013 02:29 AM

Securing MySQL
 
Hi,

Usually, I install and configure MySQL like this:

Code:

  # cd /etc/mysql
  # cp my-small.cnf my.cnf
  # mysql_install_db
  # chown -R mysql:mysql /var/lib/mysql
  # chmod 0755 /etc/rc.d/rc.mysqld
  # /etc/rc.d/rc.mysqld start
  # mysql_secure_installation
  ...
  Set root password? [Y/n]
  ...
  # mysql -u root -p
  Enter password:
  Welcome to the MySQL monitor.
  ...
  mysql> show databases;
  +--------------------+
  | Database          |
  +--------------------+
  | information_schema |
  | mysql              |
  +--------------------+
  2 rows in set (0.00 sec)

  mysql> use mysql;
  Database changed

  mysql> select user, host, password from user;
  +------+-----------+-------------------------------------------+
  | user | host      | password                                  |
  +------+-----------+-------------------------------------------+
  | root | localhost | *6883418C147A759B04D78A2D1E4E0C5BB0CDD1B4 |
  | root | 127.0.0.1 | *6883418C147A759B04D78A2D1E4E0C5BB0CDD1B4 |
  +------+-----------+-------------------------------------------+
  2 rows in set (0.00 sec)

  mysql> quit
  Bye

On recent versions of MySQL, there's also a root@::1 user defined. Since I don't use IPv6 for now and deactivate it, I also drop this user.

Now I wonder if there's some extra security to be gained by adding the following statement to my.cnf:

Code:

bind-address = 127.0.0.1
Debian and Ubuntu add this statement out of the box, but not Slackware, so I wonder if it makes sense to add it. In theory, since I only have root@localhost and root@127.0.0.1 defined explicitly as users, folks from remote machines shouldn't be able to connect remotely.

What's your opinion on this?

ppr:kut 01-21-2013 04:17 AM

Slackware uses --skip-networking by default, which disallows any connections over tcp/ip, be it from remote or from 127.0.0.1. You can only connect using named pipes or over the UNIX socket. So adding the bind-address statement does not provide any additional security.

kikinovak 01-21-2013 09:31 AM

Thanks very much for the information !

kikinovak 01-21-2013 09:57 AM

Quote:

Originally Posted by ppr:kut (Post 4874559)
Slackware uses --skip-networking by default, which disallows any connections over tcp/ip, be it from remote or from 127.0.0.1. You can only connect using named pipes or over the UNIX socket. So adding the bind-address statement does not provide any additional security.

Erm... I just took a peek at the source out of curiosity, and I couldn't find the option you mention. Where is it?

ppr:kut 01-21-2013 10:19 AM

It's in the rc.mysql script

kikinovak 01-21-2013 12:08 PM

OK thanks again !!!


All times are GMT -5. The time now is 01:24 PM.