Securing root MYSQL user for LAMP stack - mysql

Context
So I'm following the tutorial for securing MYSQL on a Linux machine from DigitalOcean (https://www.digitalocean.com/community/tutorials/how-to-secure-mysql-and-mariadb-databases-in-a-linux-vps) and I am at the section where we are renaming the root user so that it will be more difficult for people to gain unauthorized access to the databases.
After executing rename user 'root'#'localhost' to 'newAdminUser'#'localhost';, I see:
+------------------+-----------+-------------------------------------------+
| User | Host | Password |
+------------------+-----------+-------------------------------------------+
| newAdminUser | localhost | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| root | 127.0.0.1 | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| root | ::1 | *D95F7B9193493217A2F5AF587BB27C2F92EC2301 |
| debian-sys-maint | localhost | *0BA36D18675A3EC9BBA779AAD0C189D798C886B1 |
+------------------+-----------+-------------------------------------------+
Question
Should I be changing the name for the other root users? What effect would this have on my machine - does the machine expect to have these "root" users?
I appreciate your time and assistance!

You can safely remove the 'root'#'127.0.0.1' user since it is equivalent to 'root'#'localhost' (you can still connect to host localhost or 127.0.0.1 using root).
Changing the user name from root to something else provides a marginal security enhancement as a person would already need to have gained access to the system (either locally, or exploited a website and tries to connect from a script).
You can also remove the IPv6 localhost equivalent ::1 if you don't need to connect to MySQL locally over IPv6.
You should not delete the debian-sys-maint account as this is used by the system to perform log related tasks.

As long as you ran mysql_secure_installation and removed root accounts that are accessible from outside the local host it shouldn't really matter from a security standpoint (unless you think someone will have SSH access to the machine, but shouldn't have access to the database).
But I would still change it, just for your own sanity - at some point you may be connecting to the database, and trying to use the newAdminUser, but MySQL sees you are connecting from 127.0.0.1 and so it says "nope, no user newAdminUser for that host, invalid password."

Related

Can't connect remotely to MariaDB

I'm configuring my EC2 server. I managed to install php, laravel etc. (with a bit of suffering though). Now I
created an user on MariaDB
granted all permissions from remote
enabled bind-address = 0.0.0.0 in my.cnf
tested local login, works
opened rules in the Security group for Mysql/Aurora, port 3306, TCP, all IPs, both incoming and outcoming
but still can't login from remote, I get
ERROR 2003 (HY000): Can't connect to MySQL server on 'yyz.yyz.yyz.yyz' (110)
What can I do? I don't have any iptables of sort, everything is supposed to be plain simple... but it's not :-(
I'm trying to connect from outside the Amazon network, with this string
mysql -u myuser -pmypwd -h yyz.yyz.yyz.yyz -D myschema
Please notice that from the server itself I can connect using
mysql -u myuser -p -h localhost -P 3306 -D myschema
Thank you
Marco
P.S. For reference, here are my MariaDB users
+---------------------------------------------+-----------+
| host | user |
+---------------------------------------------+-----------+
| % | myuser |
| 127.0.0.1 | root |
| ::1 | root |
| ip-yyz-yy-zz-yyz.us-west-2.compute.internal | root |
| localhost | root |
| localhost | myuser |
+---------------------------------------------+-----------+
EC2 instances have two IP addresses, internal and external.
It looks to me like your user table authorizes access from the internal IP address.
ip-yyz-yy-zz-yyz.us-west-2.compute.internal | root
Are you trying to connect to the internal address from outside AWS? That Doesn't Work™.
If you're trying to connect to the external address, you'll have to add it to your user list.
For troubleshooting but not production, you can add a * | root user.
You can also try https://xyz.xyz.xyz.xyz:3306 from a browser. It won't connect, but if it times out you know there's no route to that address from your machine. If it yields some kind of gibberish, immediately, you know the MySQL port is visible.
good news and bad news.
Good news: I solved the issue!
Bad news: We all were right. It was enough to open the 3306 port in the Security Group. The issue was that - for reasons unknown to me - I kept seing the wrong security group. I logged off, logged in again and saw the right one. Enabled the port 3306 there and - magic - it worked!
Thank you to everybody who spent time in order to help mi fixing this!

"127.0.0.1" option specified, but still using "localhost" name

I'm using the -h option, specifying that I want to connect to MySQL Server via a specific host/interface, but MySQL is telling me this, which apparently doesn't make so much sense
root#ilg40:/# mysql -h 127.0.0.1 -u root -proot
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1698 (28000): Access denied for user 'root'#'localhost'
OBS.: I have created a access for root via 127.0.0.1 (FLUSH PRIVILEGES() was already performed.
root#ilg40:/# mysql -e "SELECT User,Host,authentication_string FROM mysql.user;"
+-----------+-----------+-------------------------------------------+
| User | Host | authentication_string |
+-----------+-----------+-------------------------------------------+
| root | localhost | |
| mysql.sys | localhost | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| root | 127.0.0.1 | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
+-----------+-----------+-------------------------------------------+
Have you guys any idea about what's going on?
I can't find where is my failure :(..
P.S: I'm using Debian Jessy + MySQL 5.7.12
root#ilg40:/# cat /etc/debian_version
8.4
root#ilg40:/# mysql -e "SELECT VERSION();"
+-----------+
| VERSION() |
+-----------+
| 5.7.12 |
+-----------+
Acoording to MySQL official doc:
"The server performs host name resolution using the thread-safe
gethostbyaddr_r() and gethostbyname_r() calls if the operating system
supports them.
Otherwise, the thread performing the lookup locks a mutex
and calls gethostbyaddr() and gethostbyname() instead.
In this case, no other thread can resolve host names that are not in the host
cache until the thread holding the mutex lock releases it."
The solution I found was: dropping the user 'root'#'localhost' from MySQL.
DROP USER 'root'#'localhost';
I tried to modify the /etc/hosts, but no good. There's something else around the way that MySQL performs these two syscalls, which maps 127.0.0.1 to localhost, independently if you the address mapped in a different way in /etc/hosts.
WARNING: be sure to have at least another user with admin powers on MySQL, using 127.0.0.1 for connection, or else, you may loose access and/or admin powers over MySQL.

What is the difference between the host values in "Current user" vs "Connection" (in mysql status)

I am troubleshooting a MySQL privileges problem.
I want to connect to MySQL on the local server, but refer to it by it's LAN name (so I can use the same user/pass/host on several web-nodes).
I have included credentials in the privilege tables for both a %.lan and a localhost user.
mysql> select user,host from mysql.user where user = 'mysqluser';
+-----------+---------------------+
| user | host |
+-----------+---------------------+
| mysqluser | %.lan |
| mysqluser | localhost |
+-----------+---------------------+
However, when I try to login, I get the error message
[systemuser#servername.mydomain.com ~]$ mysql -u mysqluser -p -h servername.mydomain.com.lan
Access denied for user 'mysqluser'#'servername.mydomain.com'
Note that servername.mydomain.com.lan does resolve to a 192.168.% IP; i.e. it's in my /etc/hosts file. Moreover, reverse DNS for the IP in question resolves as expected.
[systemuser#servername.mydomain.com ~]$ dig -x 192.168.X.Y
...
;; ANSWER SECTION:
Y.X.168.192.in-addr.arpa. 86400 IN PTR servername.mydomain.com.lan.
If I temporarily grant privileges to 'mysqluser'#'%' and login, MySQL reports
mysql> status
...
Current user: mysqluser#servername.mydomain.com
...
Connection: servername.mydomain.com.lan via TCP/IP
...
Why is the host for my Current user not equal to the host for my Connection?
What I am doing/assuming incorrectly? I should note that my arrangement was working as intended (for weeks), on two farms on a common LAN, then both, independent MySQL instances suddenly started rejecting MySQL connections.

is there any way to change the users host in my sql

I am building a mysql server to allow a user to only access the database if he is on an internal ip address.
SET PASSWORD FOR 'testuser'#'MyIPwillgohere' = PASSWORD('password');
but i get the following error while using the above statement
Can't find any matching row in the user table
I think it has something to do with the host being % instead of local host or my ip address.
+------------------+-------------+
| user | host |
+------------------+-------------+
| testuser | % |
| root | 127.0.0.1 |
| root | ::1 |
| debian-sys-maint | localhost |
| root | localhost |
| root | raspberrypi |
+------------------+-------------+
How can i change the host or what should i do to fix this issue. I am using putty SSH connection to connect to the server and running mysql as the root user.
The question is how to change the test users host maybe?
I want to change the host from % to either local host or maybe my own ip address. I have used workbench to log in as editor but the host is still the same?
You might try something like this (but note that DROP essentially means "DELETE" so be careful):
DROP USER 'testuser';
GRANT USAGE ON dbnamegoeshere.* to 'testuser#MyIPwillgohere' IDENTIFIED BY 'password';
I have found the soloution to my own problem. It didnt let me change the where the host was connecting to by changing the password EG
You might try something like this (but note that DROP essentially
means "DELETE" so be careful):
DROP USER 'testuser'; GRANT USAGE ON dbnamegoeshere.* to
'testuser#MyIPwillgohere' IDENTIFIED BY 'password';
Doing that it said there was no match found. I hand to grant the privileges to the user first and state where he is connecting from and then changing the password was allowed.

Bizarre MySQL Workbench error on Linux desktop

I have an account with a Java PaaS (CloudBees) that hosts their platform off of Amazon EC2 instances. My account comes with access to a MySQL server instance and I am getting a bizarre error that only occurs when I try to log into the MySQL server from a client on my linux (Ubuntu 12.04 desktop) machine, but not my Windows 7 machine.
Here is a screenshot of the error when I try to log in with MySQL Workbench on my Ubuntu machine:
It's important to note that I have another MySQL client (Squirrel SQL) installed on this machine, that throw the same exact error when I try to log in to my dl_web account. Squirrel SQL is a pure Java application, and I have tried to check that MySQL Workbench and Squirrel SQL do not share any common dependencies and couldn't find any (but I could be wrong).
However, when I try to log in with a MySQL Workbench instance living on my Windows 7 machine, I can log in just fine.
Given the list of 4 things to check from that error message:
Yes, of course MySQL server is running on the EC2 instance; otherwise CloudBees would be out of business and I wouldn't be able to log in from my Windows 7 machine.
3306 is the correct port - I verified this with CloudBees support staff.
Not sure about this one - perhaps the MySQL server instance is somehow configured to refuse connections from linux clients?!?!
The password I'm using is correct - I have checked and re-checked and re-re-checked.
So the only 2 theories I have so far are:
The MySQL server instance is somehow configured to refuse connections from Linux clients (is this even possible?); or
The MySQL Workbench and Squirrel SQL instances on my Ubuntu machine are sharing some common dependency that is buggy or misconfigured; this is the more likely of the two scenarios, but I have been unsuccessful pegging down what this dependency is...
Also - note the exact error message that I get from both MySQL Workbench and Squirrel SQL:
Access denied for user 'dl_web'#'%' to database...
My user is dl_web...not 'dl_web'#'%'!!! Bizarre, right?!
Any ideas? Thanks in advance!
You appear to be in a hosted environment within AWS where you do not have access to root or to view grants on tables, but this may help someone else and show a few steps.
first, if I go into sqlyog (or toad or mysql workbench) and try to connect to AWS mysql, i get the following error:
http://img836.imageshack.us/img836/4594/out1.GIF
so the issue is root#pool-72-93-207-216.bstnma.fios.verizon.net
so i get into mysql at root (yes I know you might not be able to do this !)..
and I perform the following
mysql> use test;
mysql> grant all privileges on test.* to 'root'#'pool-72-93-207-216.bstnma.fios.verizon.net' identified by 'mypassword123z';
mysql> select user,host from mysql.user;
+------------------+--------------------------------------------+
| user | host |
+------------------+--------------------------------------------+
| foo_user | % |
| root | 127.0.0.1 |
| foo_user | 72.93.207.216 |
| foo_user2 | 72.93.207.216 |
| root | ::1 |
| | domU-12-31-38-04-B2-89 |
| root | domU-12-31-38-04-B2-89 |
| | localhost |
| debian-sys-maint | localhost |
| phpmyadmin | localhost |
| root | localhost |
| root | pool-72-93-207-216.bstnma.fios.verizon.net |
+------------------+--------------------------------------------+
mysql> SHOW GRANTS FOR 'root'#'localhost';
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root#localhost |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'#'localhost' IDENTIFIED BY PASSWORD '*4F4504C8CA8D22648E58B5092F653457698A9EBE' WITH GRANT OPTION |
| GRANT PROXY ON ''#'' TO 'root'#'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------+
mysql> show grants for 'root'#'pool-72-93-207-216.bstnma.fios.verizon.net';
+----------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root#pool-72-93-207-216.bstnma.fios.verizon.net |
+----------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'#'pool-72-93-207-216.bstnma.fios.verizon.net' IDENTIFIED BY PASSWORD '*CACE4BB4D0A5D265BA7FCBEED600DC8976884A43' |
| GRANT ALL PRIVILEGES ON `test`.* TO 'root'#'pool-72-93-207-216.bstnma.fios.verizon.net' |
+----------------------------------------------------------------------------------------------------------------------------------------------+
then I go back to sqlyog (or toad or mysql workbench) and log in with root and password mypassword123z and I am in.
in addition you can create an secure SSH proxy tunnel thru port 22 and your AWS pem file, using like Putty.