kikinovak |
01-21-2013 02:29 AM |
Securing MySQL
Hi,
Usually, I install and configure MySQL like this:
Code:
# cd /etc/mysql
# cp my-small.cnf my.cnf
# mysql_install_db
# chown -R mysql:mysql /var/lib/mysql
# chmod 0755 /etc/rc.d/rc.mysqld
# /etc/rc.d/rc.mysqld start
# mysql_secure_installation
...
Set root password? [Y/n]
...
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.
...
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
+--------------------+
2 rows in set (0.00 sec)
mysql> use mysql;
Database changed
mysql> select user, host, password from user;
+------+-----------+-------------------------------------------+
| user | host | password |
+------+-----------+-------------------------------------------+
| root | localhost | *6883418C147A759B04D78A2D1E4E0C5BB0CDD1B4 |
| root | 127.0.0.1 | *6883418C147A759B04D78A2D1E4E0C5BB0CDD1B4 |
+------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
mysql> quit
Bye
On recent versions of MySQL, there's also a root@::1 user defined. Since I don't use IPv6 for now and deactivate it, I also drop this user.
Now I wonder if there's some extra security to be gained by adding the following statement to my.cnf:
Code:
bind-address = 127.0.0.1
Debian and Ubuntu add this statement out of the box, but not Slackware, so I wonder if it makes sense to add it. In theory, since I only have root@localhost and root@127.0.0.1 defined explicitly as users, folks from remote machines shouldn't be able to connect remotely.
What's your opinion on this?
|