How to secure MySQL or MariaDB installation

Hardening a fresh MySQL or MariaDB server removes the default database access that does not belong on a production host, such as anonymous logins, the shared test database, and overly broad administrative access. Running the secure-installation utility before application users and remote clients are added closes those defaults while the server is still in a controlled post-install state.

The secure-installation utility connects to the local server and walks through the common post-install lock-down tasks: root authentication, anonymous-user removal, remote root restrictions, test-database removal, and a privilege-table reload. Current MariaDB releases prefer mariadb-secure-installation, while MySQL continues to use mysql_secure_installation.

Prompt order and exact wording vary by server family and package source. MariaDB 10.4 and later often start with a root account that is already protected by unix_socket, so the script can explicitly say that answering n is safe for the socket-switch and root-password prompts. MySQL can instead ask for the current or temporary root password and may offer to install the validate_password component, so keep local console access available until administrative login still works after the hardening pass.

Steps to secure MySQL or MariaDB installation:

Open a local console session on the database host with an account that can use sudo.

Run the hardening utility locally, not through an application account or a remote root session that could be disabled before verification is complete.

Run the secure-installation utility for the server family that is installed.

$ sudo mariadb-secure-installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

Enter current password for root (enter for none):

OK, successfully used password, moving on...

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] n
 ... skipping.
Change the root password? [Y/n] n
 ... skipping.
Remove anonymous users? [Y/n] y
 ... Success!
Disallow root login remotely? [Y/n] y
 ... Success!
Remove test database and access to it? [Y/n] y
 ... Success!
Reload privilege tables now? [Y/n] y
 ... Success!

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Use sudo mysql_secure_installation on MySQL. MariaDB 10.5 and later renamed the preferred command to mariadb-secure-installation, although many Linux packages still ship mysql_secure_installation as a compatibility name.

If MySQL installation already assigned or generated a root password, enter that current value at the first prompt instead of pressing Enter.

Apply the hardening choices intentionally instead of answering every prompt blindly.

Keep anonymous users removed, disallow remote root login, remove the test database, and reload privileges. If MariaDB already protects root with unix_socket and local OS-authenticated administration is acceptable, leaving the socket-authentication and root-password prompts at n preserves that local-only model. If MySQL offers to install the validate_password component, enable it when the server should enforce password-strength rules.

Related: How to reset MySQL or MariaDB root password
Confirm that local administrative access still works before leaving the console.
```
$ sudo mariadb --table -e "SELECT VERSION();"
+----------------+
| VERSION()      |
+----------------+
| 12.2.2-MariaDB |
+----------------+
```
Use sudo mysql when the MySQL root account still uses socket-based authentication. If the script changed root to password authentication, verify with mysql -u root -p --table -e "SELECT VERSION();" instead.

Verify that the anonymous accounts were removed.

$ sudo mariadb -vvv -e "SELECT User, Host FROM mysql.user WHERE User = '';"
--------------
SELECT User, Host FROM mysql.user WHERE User = ''
--------------

Empty set (0.001 sec)

Bye

Verify that root is now limited to the local host.

$ sudo mariadb --table -e "SELECT User, Host FROM mysql.user WHERE User = 'root';"
+------+-----------+
| User | Host      |
+------+-----------+
| root | localhost |
+------+-----------+

Any root row for '%', a remote IP address, or another hostname should be removed or corrected before relying on the hardening pass.

Check the full root authentication definition when the server is MariaDB.
```
$ sudo mariadb -e "SHOW CREATE USER 'root'@'localhost'\G"
*************************** 1. row ***************************
CREATE USER for root@localhost: CREATE USER `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket
```
On MariaDB 10.4 and later, SHOW CREATE USER is more reliable than checking only mysql.user.plugin because the account can still keep unix_socket authentication even when the plugin column shows mysql_native_password. On MySQL, the same check commonly shows a single authentication method such as auth_socket or caching_sha2_password.

Verify that the test database is gone.

$ sudo mariadb -vvv -e "SHOW DATABASES LIKE 'test';"
--------------
SHOW DATABASES LIKE 'test'
--------------

Empty set (0.000 sec)

Bye

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.