MariaDB is basically a clone of MySQL. MariaDB is created by the same people who created MySQL. There was uncertainty about what would happen to MySQL after Oracle bought. This uncertainty gave birth to MariaDB. Our aim in this article is to setup a secure MariaDB server that can accept connections from remote clients. This involves the following steps:
Announcement
You can find all my latest posts on medium.- Install the mariadb rpms
- Configure MariaDB to allow connections from a network interface
- Perform security hardening
- configure firewalld to allow mysql traffic
- Test the mariadb server setup
You can follow along this article using our MariaDB vagrant project on Github.
Install the mariadb rpms
The best way to install MariaDB is via group install:
$ yum groupinstall mariadb $ yum groupinstall mariadb-client
Configure MariaDB to allow connections from a network interface
By default, MariaDB doesnt allow any external mysql client’s to connect to it. This can be fixed by adding one of the MariaDB’s server’s network interfaces ip address to MariaDB’s main config file, /etc/my.cnf
, in particular we need to add this line under the ‘mysqld’ stanza:
$ cat /etc/my.cnf [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 # Settings user and group are ignored when systemd is used. # If you need to run mysqld under a different user or group, # customize your systemd unit file for mariadb according to the # instructions in http://fedoraproject.org/wiki/Systemd bind-address=10.2.4.10 [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid # # include all files from the config directory # !includedir /etc/my.cnf.d
In our example, our network interface’s ip address is ‘10.2.4.10’.
We still haven’t updated firewalld to allow mysql traffic. We’ll do that after security harding our mysql server
Perform security hardening
Security hardening our Mysql server is simply a case of running the mysql_secure_installation utility and providing information when prompted. this utility runs a series our sql scripts against our Mariadb setup. So before we can use this utility we first need to start+enable MariaDB:
$ systemctl start mariadb $ systemctl enable mariadb Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
Now we run the security utility:
$ mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): {I don't have a password yet so left this blank} OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] Y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] Y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] Y # this is the default, so that we override on host-by-host basis - see next article. ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] Y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] Y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
Now we restart the mariadb daemon:
$ systemctl restart mariadb
Now that our mariadb server is secure, we can now go ahead and open up the firewall:
$ firewall-cmd --permanent --add-service=mysql success $ systemctl restart firewalld
Test the MariaDB server setup
We can now test our setup by first trying to connect to our database, by running:
$ mysql -u root -p Enter password:
We specified the (p)assword option to tell our mysql that we want to get a password prompt. Note, at this stage we are not connecting to a particular database, just establishing an admin session with the mysql daemon. After entering the password, we get the mariadb interactive prompt:
[root@ntp-server ~]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 7 Server version: 5.5.56-MariaDB MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
So now let’s run some hello-world like SQL, first will view a list of databases, then select a database, then view a list of tables in that data, then view the content of a particular table.
MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | +--------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [mysql]> show tables; +---------------------------+ | Tables_in_mysql | +---------------------------+ | columns_priv | | db | | event | | func | | general_log | | help_category | | help_keyword | | help_relation | | help_topic | | host | | ndb_binlog_index | | plugin | | proc | | procs_priv | | proxies_priv | | servers | | slow_log | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | +---------------------------+ 24 rows in set (0.00 sec) MariaDB [mysql]> pager less -SFX PAGER set to 'less -SFX' MariaDB [mysql]> SELECT * FROM user; +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+- | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+- | localhost | root | *7E48482E01D8BB29A0D21B9DC7603190B5D69A17 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | 127.0.0.1 | root | *7E48482E01D8BB29A0D21B9DC7603190B5D69A17 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | ::1 | root | *7E48482E01D8BB29A0D21B9DC7603190B5D69A17 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+- MariaDB [mysql]> quit Bye $
Note, the pager command is used to format a table output in a prettier format.
[post-content post_name=rhsca-quiz]
– Install the mariadb rpms
– Configure MariaDB to allow connections from a network interface
– Perform security hardening
– configure firewalld to allow mysql traffic
– Test the mariadb server setup
$ yum groupinstall mariadb
$ yum groupinstall mariadb-client
edit the file ‘/etc/my.cnf’
Add the following line to the [msqld] stanza:
bind-address={mariadb-server’s-ip-address}
to allow remote MySQL clients to connect to it.
$ systemctl start mariadb
$ systemctl enable mariadb
$ mysql_secure_installation
$ systemctl restart mariadb
$ firewall-cmd –permanent –add-service=mysql
$ systemctl restart firewalld
$ mysql -u root -p
# this will start a mysql terminal
show databases;
use customers;
show tables;