Ask Your Question
2

How do you disable insecure mysql logins?

asked 2013-10-13 18:18:28 -0500

spuder gravatar image

updated 2013-10-13 20:20:41 -0500

How do you harden a mysql server so that users can not login anonymously? See mysql security documentation

Here is how I create a mysql install & schema with puppetlabs-mysql 2.0.0-rc5 module

class { '::mysql::server':
  root_password   => 'foo',
}


   mysql::db { 'spencerTest':
      user     => 'myuser',
      password => 'mypass',
      host     => 'localhost',
      grant    => ['SELECT', 'LOCK TABLES', 'INSERT', 'UPDATE', 'DELETE', 'CREATE', 'DROP', 'INDEX', 'ALTER'],
  }

Yet, I am still able to log as the following users without a password.

mysql -u localhost
mysql -u 127.0.0.1

The following users still exist:

mysql> select user,host,password from mysql.user;
+------------------+-----------+-------------------------------------------+
| user             | host      | password                                  |
+------------------+-----------+-------------------------------------------+
| root             | localhost | *F3A2A51A9B0F2BE2468926B4132313728C25XXX ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2013-10-13 19:55:11 -0500

spuder gravatar image

updated 2013-10-13 20:32:14 -0500

To disable anonymous logins, use the remove_default_accounts flag like so:

class { '::mysql::server':
  root_password           => 'foo',
  remove_default_accounts => true,
  restart                 => true,
}

This will remove all local accounts from the mysql.user table that do not have passwords In this example, it will drop 'localhost','gitlab','127.0.0.1', '::1', leaving just the 3 rows that have a password. This is what is suggested in the mysql harding guide.

mysql> select user,host,password from mysql.user;
+------------------+-----------+-------------------------------------------+
| user             | host      | password                                  |
+------------------+-----------+-------------------------------------------+
| root             | localhost | *F3A2A51A9B0F2BE2468926B4132313728C250DBF |
| root             | gitlab    |                                           |
| root             | 127.0.0.1 |                                           |
| root             | ::1       |                                           |
|                  | localhost |                                           |
|                  | gitlab    |                                           |
| debian-sys-maint | localhost | *95C1BF709B26A5BA97ADCD9E902BCAB6E0E91E8B |
| myuser           | localhost | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+------------------+-----------+-------------------------------------------+

Note, puppet ... (more)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-10-13 18:18:28 -0500

Seen: 638 times

Last updated: Oct 16 '13