This howto outlines the steps to add a new user to MySQL, and grant the new user permissions on a specific database.
Continue Reading…
- Change the root password? [Y/n]
- Remove anonymous users? [Y/n]
- Disallow root login remotely? [Y/n]
- Remove test database and access to it? [Y/n]
- Reload privilege tables now? [Y/n]
Ensuring you have a secure, and hard to guess MySQL root password is critical on production servers. If you don’t currently have a strong MySQL root password, please update it using the details below. Likewise, if you think someone may know the password, who shouldn’t, change the password immediately.
Run the following SQL statement on the MySQL server to change the root users password:
Obviously change ‘1234’ with the password you would like to set. Make sure you set a strong password.
UPDATE mysql.user SET Password=PASSWORD('1234') WHERE User='root';
If you want to include \ or ‘ characters in the password, they will need to be escaped.
Replace ‘root’ with the name of another MySQL user account if you wish to change their password instead.
After making changes to permissions/user accounts, make sure you flush the provilege tables using the following command:
FLUSH PRIVILEGES;
After making changes to MySQL permissions/user accounts, make sure you flush the provilege tables using the following command:
FLUSH PRIVILEGES;
This will make any changes take effect immediately.
To keep a MySQL database server secure, you should always only allow root logins from the local machine (localhost, 127.0.0.1 for IPv4, and ::1 for IPv6.
Run the following SQL script against the MySQL server, to remove all access from remote hosts for the ‘root’ user account:
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
After making changes to permissions/user accounts, make sure you flush the provilege tables using the following command:
FLUSH PRIVILEGES;
MySQL includes an anonymous user account that allows anyone to connect into the MySQL server without having a user account. This is meant only for testing, and should be removed before the database server is put into a production environment.
Run the following SQL script against the MySQL server to remove the anonymous user account:
DELETE FROM mysql.user WHERE User='';
After making changes to permissions/user accounts, make sure you flush the provilege tables using the following command:
FLUSH PRIVILEGES;
A standard installation of MySQL includes a number of tools to manage the database server. One of these tools is the ‘mysql_secure_installation’ script. This script guides the user through setting up a secure MySQL root password, removes the anonymous user account, disabling remote root connections, removes the test database, and finally flushes all the changed made to make sure they are active.
To execute the script, simply run the following command:
$ mysql_secure_installation
In summary, these are the questions that you will be prompted for:
You should generally select ‘Y’ to all these options. You can select ‘N’ to the first one, if you already have a strong root password.
Example output:
$ mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] n
... skipping.
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
ERROR 1008 (HY000) at line 1: Can't drop database 'test'; database doesn't exist
... Failed! Not critical, keep moving...
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
$
Nginx (pronounced Engine-X) is a fast & lightweight HTTP and HTTPS web server (it can also act as a reverse proxy, and perform load balancing).
(Note: this is a updated version of a similar how to located here, but this article is using php-cgi package instead of php-fpm, and using only default Ubuntu repository’s).
Its small memory footprint requirements make it great for systems with small amounts of memory, such as low end cloud servers. Nginx is great for serving static files to users, and is cable of handling more than 10,000 simultaneous connections, but it lacks the embedded module support for PHP as Apache does.
Thankfully you can use the php5-cgi package to add PHP support to Nginx, and end up with a PHP enabled web server running on a low footprint setup. Nginx essentially offloads processing of .php files to the PHP fast cgi package, which in turn passes the interpreted script information back to Nginx, to return back to the end user.
The how to article below describes installing the usual components for the LAMP stack (Linux, Apache, MySQL, and PHP), however the Apache part is exchanged for Nginx.
Make sure the apt sources are up to date before installing:
$ sudo apt-get update
MySQL Configuration
Install MySQL:
$ sudo apt-get install -y mysql-server mysql-client
You will be asked to enter a “root” password for the MySQL server. Generate a strong password, type it in, and keep note of it for future reference.
PHP Configuration
To use PHP with Nginx, you require the PHP5-CGI package. Install PHP with php5-cgi and any other modules that you may require:
$ sudo apt-get install -y php5-cgi php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick \ php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode \ php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-json
Note: You can modify the above command to add/remove individual PHP packages if needed. The php5-cgi package is however required when used with Nginx.
Download and set up the php-fastcgi init script for Ubuntu, using the following commands:
$ cd /etc/init.d $ sudo wget -O php-fastcgi http://www.networkinghowtos.com/wp-content/uploads/scripts/php-fastcgi $ sudo chmod +x php-fastcgi $ sudo update-rc.d -f php-fastcgi defaults
The source for this file and more details can be found on the following page:
http://www.networkinghowtos.com/howto/ubuntu-php-fastcgi-init-script/
Start (or Restart) PHP Fast CGI:
$ sudo /etc/init.d/php-fastcgi restart
NGiNX Configuration
Install Nginx:
$ sudo apt-get install -y nginx
Edit the Nginx configuration file so that it knows what to do with .PHP files:
$ sudo nano /etc/nginx/sites-available/default
There will be a section with the heading starting with “pass the PHP scripts to FastCGI server” as seen below:
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000;
#fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#includefastcgi_params;
#}
Uncomment the lines as shown below, and modify the “fastcgi_param” line to reflect your website folder path. In my example I am using /var/www.
Also take note of the space added to the “include” line. For some reason the example code in the config file was missing the space. Add this space (or tab) as per the below example.
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www$fastcgi_script_name;
include fastcgi_params;
}
Save and exit the editor.
Please note that there could be potential security issues with this generic base configuration (particularly if you are running a publicly accessible website, and allow file uploads). If you would like further information on this, please read the blog post at https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ and also read through the Nginx documentation.
Start Nginx:
$ sudo /etc/init.d/nginx start
Conclusion and Testing
Create a .php file containing the following PHP code and save it in your website folder and call it test.php (/var/www/test.php in my example.):
<?php phpinfo(); ?>
Load up your site in a browser, and add the file /test.php to the url, and make sure it comes up with the usual PHP information page, and not just the source code for the .php file you created.
You should now have a working Nginx, PHP, and MySQL stack. Read the Nginx documentation for more detailed configuration options.
The Nginx documentation can be found on the Nginx website at http://nginx.org/
Nginx (pronounced Engine-X) is a fast & lightweight HTTP and HTTPS web server (it can also act as a reverse proxy, and perform load balancing).
Its small memory footprint requirements make it great for systems with small amounts of memory, such as low end cloud servers. Nginx is great for serving static files to users, and is cable of handling more than 10,000 simultaneous connections, but it lacks the embedded module support for PHP as Apache does.
Thankfully you can use the PHP FPM FastCGI package to add PHP support to Nginx, and end up with a PHP enabled web server running on a low footprint setup. Nginx essentially offloads processing of .php files to the PHP FPM Fast CGI package, which in turn passes the interpreted script information back to Nginx, to return back to the end user.
Note: If you encounter issues with adding the 3rd party repository’s for php-fpm in this article, please see the revised article here:
Installing NGINX, PHP, and MySQL on Ubuntu 10.04 LTS using php-cgi.
This revised article linked above uses the php5-cgi module from the standard Ubuntu repositories, instead of php5-fpm from 3rd party repositories.
The how to article below describes installing the usual components for the LAMP stack (Linux, Apache, MySQL, and PHP), however the Apache part is exchanged for Nginx.
Make sure the apt sources are up to date before installing:
$ sudo apt-get update
Install MySQL:
$ sudo apt-get install -y mysql-server mysql-client
You will be asked to enter a “root” password for the MySQL server. Generate a strong password, type it in, and keep note of it for future reference.
Run through the “mysql_secure_installation” script to lock down the MySQL installation.
$ mysql_secure_installation
You will generally want to answer the prompts with “y”, apart from the first, asking if you want to change the root MySQL password. Assuming you set a strong password in the previous step, you can select “n” for this question.
Install Nginx:
$ sudo apt-get install -y nginx
To use PHP with Nginx, you require the PHP Fast CGI package. To install the PHP Fast CGI package on Ubuntu 10.04, you first need to add an additional repository:
$ sudo apt-get install -y python-software-properties$ sudo add-apt-repository ppa:nginx/php5$ sudo add-apt-repository ppa:brianmercer/php$ sudo add-apt-repository ppa:brianmercer/php5$ sudo add-apt-repository ppa:l-mierzwa/lucid-php5
Note: If you get errors here, check the comments for other repository’s you can use instead.
Update the apt package sources again to ensure the newly added repository has been updated.
$ sudo apt-get update
Install PHP and any other modules that you may require:
$ sudo apt-get install -y php5-fpm php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick \ php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode \ php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-json
Note: You can modify the above command to add/remove individual PHP packages if needed. The php5-fpm package is however required when used with Nginx.
Edit the Nginx configuration file so that it knows what to do with .PHP files:
$ sudo nano /etc/nginx/sites-available/default
There will be a section with the heading starting with “pass the PHP scripts to FastCGI server” as seen below:
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000;
#fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#includefastcgi_params;
#}
Uncomment the lines as shown below, and modify the “fastcgi_param” line to reflect your website folder path. In my example I am using /var/www.
Also take note of the space added to the “include” line. For some reason the example code in the config file was missing the space. Add this space (or tab) as per the below example.
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www$fastcgi_script_name;
include fastcgi_params;
}
Save and exit the editor.
Please note that there could be potential security issues with this generic base configuration (particularly if you are running a publicly accessible website, and allow file uploads). If you would like further information on this, please read the blog post at https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ and also read through the Nginx documentation.
Restart PHP Fast CGI:
$ sudo /etc/init.d/php5-fpm restart
Note: php5-fpm should start automatically after being installed, but we will ensure that it is running by issuing the restart command.
Start Nginx:
$ sudo /etc/init.d/nginx start
Create a .php file containing the following PHP code and save it in your website folder and call it test.php (/var/www/test.php in my example.):
<?PHP phpinfo(); ?>
Load up your site in a browser, and add the file /test.php to the url, and make sure it comes up with the usual PHP information page, and not just the source code for the .php file you created.
You should now have a working Nginx, PHP, and MySQL stack. Read the Nginx documentation for more detailed configuration options.
The Nginx documentation can be found on the Nginx website at http://nginx.org/