Introduction
The database holds your most sensitive data. This guide covers MySQL/MariaDB security on a Hostxpeed VPS.
1. Run mysql_secure_installation
Remove anonymous users, disable remote root login, drop test database.
2. Bind to Localhost or Private IP
Set bind-address = 127.0.0.1 or a private network IP.
3. Create Minimal Privilege Users
GRANT SELECT, INSERT, UPDATE ON app.* TO 'appuser'@'localhost'.
4. Drop Default Users
DROP USER ''@'localhost'; and any test database.
5. Enable SSL for Connections
Generate certificates and enforce SSL for users: ALTER USER ... REQUIRE SSL.
6. Use Password Validation Plugin
Install validate_password to enforce strong passwords.
7. Limit User Resources
ALTER USER ... WITH MAX_QUERIES_PER_HOUR 100000.
8. Disable LOAD DATA LOCAL INFILE
Set local_infile = 0 to prevent reading local files.
9. Enable General Log Temporarily for Audit
Use with care – impacts performance.
10. Install MariaDB Audit Plugin
For compliance, log all connection and query activities.
11. Use Dedicated Backup User
Create user with only SELECT, LOCK TABLES privileges.
12. Encrypted Backups
Use mysqldump | gpg -c to encrypt.
13. Isolate Database on Separate VPS
Use private networking and firewall to allow only the web VPS.
14. Enable Binary Logs
Set expire_logs_days = 7 and secure binary log files.
15. Monitor Failed Logins
Watch /var/log/mysql/error.log; use fail2ban if needed.
16. Regular Updates
Subscribe to security announcements and upgrade MySQL/MariaDB.
17. Strict SQL Mode
sql_mode = STRICT_TRANS_TABLES,NO_ZERO_DATE,ONLY_FULL_GROUP_BY.
18. Firewall on Port 3306
Even with binding, add iptables rule to allow only localhost/private IP.
19. Data at Rest Encryption
Use LUKS on /var/lib/mysql for full‑disk encryption.
20. Regular Security Audits
Run mysqltuner and check for insecure configurations.
Conclusion
Start with secure installation and user restrictions. Add SSL and isolate the database for production.