In cPanel, there is an inbuilt script known as
securemysql located in /scripts. This script can be used to secure MySQL server configuration with numerous commands.
The script makes sure whether the MySQL root password is set or not, checks whether if the MySQL database data directory is correctly owned by user mysql so it cannot be read by rogue users or insecure / compromised PHP scripts.
To know more about the options that can be used with the script, use the h flag to query it for informational output:
root@aast [~]# /scripts/securemysql -h
securemysql 0.2
Options:
-q - Quiet execution
-F - Bypass the help message
-a - Specify additional actions (comma separated list), or blank for all
-h - Print this message and exit.
This script attempts to secure the MySQL configuration by doing the following:
(always executed) Ensure root password for MySQL is set.
(always executed) Changes ownership of /var/db/mysql or /var/lib/mysql to mysql
Additionally, the following actions can be specified:
[optional]
removeanon - Remove any anonymous users
removetestdb - Remove test database
removelockntmp - Remove global lock tables and create tmp table privileges from users
removeremoteroot - Remove remote root login
removehordeallhosts - Remove insecure horde login and privileges
removehordeblankpass - Remove horde users with blank password
Examples:
./securemysql -q -F -a removeanon,removetestdb,removelockntmp,removeremoteroot
./securemysql -q -F -a "removeanon, removetestdb, removelockntmp"
./securemysql -q -F -aremovehordeallhosts
The examples show common usages for the scripts, including: removing anonymous users, removing test databases, removing the ability to remotely login as root, even fixing insecure Horde webmail SQL permissions.
The below example would remove any Anonymous SQL users, remove test databases, remove the global lock tables, create tmp table privileges from users, and remove the ability to login to MySQL as root remotely.
root@aast [~]# /scripts/securemysql -F -a removeanon,removetestdb,removelockntmp,removeremoteroot
Removing anonymous users ... Done
Removing remote root login ... Done
Dropping global lock tables and create tmp tables permissions ... Done
Removing all privileges for test db ... Done
Flushing privileges table ... Done.
Dropping test database... Done
root@cpanel [~]#
It's first suggested to backup the data directory and run the securemysql script to remove the possibility of your system being compromised due: to anonymous users, weak or missing root privileges, or worse the ability to login as the root MySQL user remotely, from outside the server.
Thank you for reading, keep sharing!!