Hero Image

Secure MySQL on AlmaLinux 9

Secure MySQL on AlmaLinux 9

Step 1 – Run mysql_secure_installation

mysql_secure_installation

Recommended answers:

  • Set root password: Yes
  • Remove anonymous users: Yes
  • Disallow root login remotely: Yes
  • Remove test database: Yes
  • Reload privilege tables: Yes

Step 2 – Restrict bind address

Edit my.cnf:

[mysqld]
bind-address = 127.0.0.1   # or a specific internal IP

Restart MySQL.

Step 3 – Audit user privileges

SELECT User, Host, plugin FROM mysql.user;
-- Remove passwordless accounts
DELETE FROM mysql.user WHERE authentication_string = '' AND User != '';
FLUSH PRIVILEGES;

Step 4 – Enable audit log (MySQL Enterprise or MariaDB Audit Plugin)

For community MySQL, use the general log temporarily:

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/log/mysql/general.log';

Step 5 – SSL/TLS connections

SHOW VARIABLES LIKE '%ssl%';
-- Require SSL for a user:
ALTER USER 'appuser'@'%' REQUIRE SSL;

Step 6 – Firewall

Allow MySQL only from trusted IPs:

# Using firewalld (RHEL/AlmaLinux):
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=3306 protocol=tcp accept'
firewall-cmd --reload

# Using UFW (Ubuntu/Debian/Arch):
ufw allow from 192.168.1.0/24 to any port 3306