Securing default MySQL installation

Usually a MySQL installation will also create some default databases. In case they don’t exist you can create the default databases by running this:


Setting a MySQL root password

The most important thing is to ensure that all root accounts have set passwords. For instance this is the default mysql database after a normal MySQL installation.

This a very insecure setup.

To learn how to setup a password for the MySQL root accounts or to delete the root users entirely see this short referent on MySQL commands.

Also you can see there are some entries without a User name (not only without a password). These databases are used for testing and benchmarking.

Ownership and permissions

Also you need to make sure the MySQL daemon runs under it’s own user, not some default (nobody) user. For this you must make sure that /etc/my.cnf lists this in the [Server] / [mysqld] (these 2 are synonims) section:


The container of the databases should be owned by the above user.

[root@i5 bin]# ls -ld /var/lib/mysql
drwxr-xr-x 4 mysql mysql 4096 Dec  1 14:51 /var/lib/mysql

More (official) reference on securing the initial default MySQL installation.


MySQL commands – usually run from shell

Connecting to the server

mysql -h localhost -u root

The commands below asume the existance of the default databases. If this is not true take a look at securing a default MySQL installation.

Selecting a specific MySQL database

use database  # example

use mysql;

Listing tables in the selected database

show tables;

Viewing the structure of a specific table

describe table;

Retrieving some data

We’re interested to see if the root accounts (there are usually more than one, one for each possible host like, localhost, actual hostname) have set passwords.

mysql> select Host,User,Password from user;

We can see above that none of the defined account has a set password. This is a serious security hazard.

Setting passwords

set password for root@localhost = password (‘your_password’);

Setting the MySQL root password

As you can see the password is stored encrypted into the database.

Deleting rows (data entries)

We’re especially interested to delete the root mysql users that don’t have a set password.

delete from user where User = ‘root’ and Password = ”;

Delete MySQL root accounts with no set password

Creating a MySQL root account

grant all privileges on mysql.* to admin@localhost identified by ‘light’;

Create root MySQL account

After an user modification you should flush user privileges

flush privileges;

After setting the mysql root password you will no longer be able to login to root without supplying the root password.

Logging to a MySQL root account with set password

More (official) reference on MySQL users.


Installing PHP

In order to install PHP with MySQL support you first need to install mysql, mysql-lib, mysql-server and mysql-devel. Install instructions for MySql libs.

Also you may need to install libxml2-devel in order to get xml2-config.

yum install libxml2-devel

Finally generate the makefile:

./configure –with-apxs2=/opt/apache/bin/apxs –with-mysql –prefix=/opt/php

And compile PHP:


make test

And install it

make install

And finally install php-mysql

yum install php-mysql

You need to make sure all these lines are found in httpd.conf:

LoadModule php5_module modules/

<Files *.php>

SetOutputFilter PHP

SetInputFilter PHP


AddType application/x-httpd-php .php


Installing MySQL

In order to install MySQL you need to install these:

  • mysql
  • mysql-server
  • mysql-lib
  • mysql-devel

yum install mysql mysql-lib mysql-server mysql-devel

After php and php-mysql are installed you may start MySQL:

/etc/init.d/mysqld start

And you should get this:

To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h i5 password ‘new-password’

Alternatively you can run:

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with
cd mysql-test ; perl


Apache IP based access

In order to use Apache to allow or deny access based on a specific IP you need mod_authz_host.

Hardware commands

Named-based virtual hosting

First you need to declare the IP used for virtual hosting with the NameVirtualHost directive:


# ip above is just an example

# the above directive specifies that requests for this IP must be further devised

Second you need to form the VirtualHost container



Main sub directives


This sets the site’s name which more importantly set the value for the HOST header specific to name-based virtual hosting.


This sets the location of the Webspace user files served to the client for the specific HOST.


This specifies the path of the error log.


This specifies the path of the transfer log.





ServerAdmin [email protected]

DocumentRoot /home/site1

ErrorLog /path

TransferLog /path




ServerAdmin [email protected]

DocumentRoot /home/site1

ErrorLog /path

TransferLog /path



Main Apache Directives

The main Apache configuration directives

The complete Apache directives list.


This directive sets the ip(s) and port on which the Apache server listens for connection.


Instead of the actual IP must be used. Port 80 is the regular http port and 443 is the default https port. If the server has multiple interfaces (phisical or virtual) the * character must be used to cover all IPs.

Listen *:80

User / Group

These directives set the user and the group under which the http server will be running.


This sets the name of the server reported by Apache.


This sets the locations of the server and all its files. All paths from httpd.conf will be relative to this path.


This is the WebSpace. This is the location where Apache will search for the files and folders requested by the clients.


This sets the default file served by Apache if the client has not requested a specific file. For this to work the dir_module must be loaded.

LoadModule dir_module modules/

<IfModule dir_module>

DirectoryIndex index.php index.htm index.html



This generates a folder’s index if there’s no file matching the options in DirectoryIndex. It needs the autoindex_module.

LoadModule autoindex_module  modules/

IndexOptions   FancyIndexing FoldersFirst


It needs the autoindex module (

IndexIgnore *.jpeg


This is used to map an URL or local directory to a location outside the document tree. It requires the module.

LoadModule alias_module

Alias /var /path_outsite_document_tree

There is a variant to this called ScriptAlias used for folders with CGI scripts.


This is similar to Alias but it’s used to map a resource from local Webspace to a remote one.

Redirect /dir


This sets the logging options. Some possible values for LogLevel: debug, info, notice, warn, error, crit, alert, emerg.

ErrorLog /log_path

LogLevel warn


This sets specific answers of the server in case of an specific errors (either as a message or as path to a file).

ErrorDocument  500  “Error message”

ErrorDocument  404  /error.html

Incomplete list of error numbers:

400 Bad Request – HTTP_BAD_REQUEST
401 Authorization Required – HTTP_UNAUTHORIZED
402 Payment Required – HTTP_PAYMENT_REQUIRED
403 Forbidden – HTTP_FORBIDDEN
404 Not Found – HTTP_NOT_FOUND
405 Method Not Allowed – HTTP_METHOD_NOT_ALLOWED
406 Not Acceptable – HTTP_NOT_ACCEPTABLE
407 Proxy Authentication Required – HTTP_PROXY_AUTHENTICATION_REQUIRED
408 Request Time-out – HTTP_REQUEST_TIME_OUT
409 Conflict – HTTP_CONFLICT
410 Gone – HTTP_GONE
411 Length Required – HTTP_LENGTH_REQUIRED
413 Request Entity Too Large – HTTP_REQUEST_ENTITY_TOO_LARGE
500 Internal Server Error – HTTP_INTERNAL_SERVER_ERROR
501 Method Not Implemented – HTTP_NOT_IMPLEMENTED
503 Service Temporarily Unavailable – HTTP_SERVICE_UNAVAILABLE


This is used to set some options for a specific directory from the Webspace and it can only be used as a core setting (not in .htaccess).

<Directory /path>

Options Indexes FollowSymLinks      # example 1

AllowOverride ALL                                  # example 2


If AllowOverride is set on None, Apache does not even read .htaccess.


This directive is used to restrict access to certain files. This can be used in .htaccess and regular expressions can be used.

<FilesMatch “^\.ht”>

Order allow,deny

Deny from all



This is equivalent to FilesMatch but the regular expression must be preceded by ~

<Files ~ “\.(gif|jp?g|png)$”>

Order allow,deny

Allow from



Associate a server action with the file type requested by the client. This required

LoadModule mime_module /modules/

DefaultType text/plain

TypesConfig conf/mime.types


Apache structure

The /bin folder

Contains various binarie:


This is the server binary itself


This controlls the server (start, stop, restart)


This creates user data for Apache passworded directories.


This is used for benchmarking


Apache extension tool: this is used for expanding apache by compiling new modules.


This is used for rotating the Apache logs.

The /conf directory

This folder contains configuration files, mainly httpd.conf.

The /modules folder

This contains DSO modules (Dynamic Shared Objects) – binaries that are dynamicaly loaded at server startup.


Apache installation

Compile options

Implicit options (DSO)

./configure –prefix=/install_path –enable-so –enable-mods-shared=all


This enables the installation of all available modules.


This enables modular support (DSO)



Query the local DNS server

dig @localhost domain

Reverse resolution query on local DNS server

dig @localhost -x ip

Query MX record from DNS server

dig @ -t MX domain

Query all records

dig -t any domain