Friday, May 21, 2010

Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

Blog Has Moved

Link to the same post in the new blog: Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

1. Login to the server using Root account.
2. Create a new account:
groupadd mysql
useradd -d /dev/null -g mysql -s /bin/false mysql
3. Download MySQL server and client RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
5. Move to /tmp
cd /tmp
6. Install the MySQL packages:
rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
7. Delete the MySQL source files:
rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
8. Run the commands bellow to set ownership and permissions:
chown -R root /usr/bin/mysql*
chown -R mysql:root /var/lib/mysql
chmod -R go-rwx /var/lib/mysql
mkdir -p /var/log/mysql
chown -R mysql:root /var/log/mysql
9. Run the command bellow to copy the main configuration file:
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
10. Run the commands bellow to remove default folder:
rm -rf /var/lib/mysql/test
rm -f /usr/share/mysql/*.cnf
11. Run the command bellow to set ownership and permissions for my.cnf file:
chown root /etc/my.cnf
chmod 644 /etc/my.cnf
12. Edit using VI, the file /etc/my.cnf
Add the strings bellow under the [mysqld] section
pid-file = /var/lib/mysql/mysqld.pid
log = /var/log/mysql/mysql.log
bind-address = 127.0.0.1
Add the section bellow:
[safe_mysqld]
err-log = /var/log/mysql/mysql.err
13. Run the command bellow to restart the target server:
reboot
14. Login to the server using Root account.
15. Run the commands bellow to set password for the MySQL root user:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h hostname password 'new-password'
Note 1: Specify complex password (at least 14 characters) and document it.
Note 2: Replace “hostname” with the server FQDN (DNS name)
16. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
17. Run the following commands from the MySQL prompt:
use mysql;
DELETE FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DROP DATABASE test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
quit
18. Run the command bellow to stop the MySQL service:
/etc/init.d/mysql stop
19. Run the command bellow to start the MySQL service:
/etc/init.d/mysql start

Labels: ,

posted by Eyal Estrin @ 3:03 PM   0 Comments

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home