Safely merging multiple MySQL users to % - mysql

Was recently managing my MySQL (5.5.41) on Linux machine and decided to remove/merge MySQL initially created root users.
Quoting MySQL 5.5 documentation (also nice article here)
On Unix, each root account permits connections from the local host. Connections can be made by specifying the host name localhost, the IP address 127.0.0.1, the IPv6 address ::1, or the actual host name or IP address.
The user table is as follows
+-----------+------------------+-------------------------------------------+
| Host | User | Password |
+-----------+------------------+-------------------------------------------+
| localhost | root | *ABC... |
| lamp | root | |
| 127.0.0.1 | root | *ABC... |
| ::1 | root | |
| localhost | john | *EFG... |
| lamp | john | |
| 127.0.0.1 | john | *EFG... |
| ::1 | john | |
+-----------+------------------+-------------------------------------------+
It is also set to listen only to localhost bind-address = 127.0.0.1. The question is
What could be the possible downfalls of merging multiple root users to a single one and using % wildcard as Host ?
Some of the passwords are blank thus not required to login. If % is used and password is set some users (lamp, IPv6 ::1) would not be able to login. Should this be avoided?
What could be the best pracice - to create a new user basing on initial create (127.0.0.1, ::1, localhost) or to stick with the % wildcard?

First off, i'd suggest you avoid using % wildcard (if it's not strictly necessary). If your users connect to the database from the same host the mysql server is running on, my advice is to use 127.0.0.1
All best practices point out that no-password login should be disabled.
As for IPv6, there's no point in having that user if you're not using it.
I'd suggest you read this http://www.greensql.com/content/mysql-security-best-practices-hardening-mysql-tips

Related

Unable to INSERT into an Amazon RDS database

I setup my website on AWS.
Now, the problem is: I am able to select data from my DB but I am not able to insert it. But, my root is having "Insert" privileges.
I did create another user and provided the same privileges but the same problem persists.
Here is my configuration:
mysql - "select" and "insert" privileges for "root" user.
+-------------+-------------+
| Select_priv | Insert_priv |
| Y | Y |
+-------------+-------------+
mysql - "host" and "user" details
+----------------+------+
| host | user |
| % | root |
| 127.0.0.1 | root |
| (my ip) | root |
| ::1 | root |
| ip-(my ip) | |
| ip-(my ip) | root |
| localhost | |
| localhost | root |
+----------------+------+
php - I am connecting using "username" as "root", "host" as "localhost" and "port" as 3306
Inbound security group
Outbound security group
Table names in insert query are case sensitive when deployed in aws RDS mysql. So, make sure to have same table names i.e. same case in insert query and in database. I hope this will work.

Do I need to set a password for every root account entry? - MySQL

This is my current user account configuration:
+----------+------------+-------------------------------------------+
| User | Host | Password |
+----------+------------+-------------------------------------------+
| root | localhost | *CAB56DA385754BF21E94AC7D75E8B51EA0F468A8 |
| root | centos-gcp | |
| root | 127.0.0.1 | |
| root | ::1 | |
| | localhost | |
| | centos-gcp | |
+----------+------------+-------------------------------------------+
So far I only added a root password during installation.
From what I understand, each 'username'#'host' combination is treated as a different account.
Does that mean that I need to set a password for every root account?
Or does the first password apply to all other root accounts?
It seems that if I try to log in with 'root'#'centos-gcp' which resolves to 127.0.1.1 I still have to enter the main password (I'm somewhat confused by all these hostnames).
Without a password, you have a vulnerability that a hacker may discover.
If you have never needed to use root after installing, then either you have not yet needed to do some serious maintenance, or you have given your other users too much privilege, thereby opening up another class of vulnerability.
Your multiple root#... logins are different. They are distinguished by where 'root' is coming from within the system, and how the connection is being made (socket vs TCP with IPv4 vs IPv6), etc.

mysql - show processlist

When I run the command show processlist; I get details of the connections made to the server. Here are the connection details of my MySQL server,
mysql> show processlist;
+------+-----------------+----------------------+-------------+---------+----------+------------------------+------------------+
| Id | User | Host | db | Command | Time | State | Info |
+------+-----------------+----------------------+-------------+---------+----------+------------------------+------------------+
| 1 | event_scheduler | localhost | NULL | Daemon | 13200075 | Waiting on empty queue | NULL |
| 4212 | root | localhost | NULL | Query | 0 | init | show processlist |
| 4214 | root | xxx.xx.xxx.xxx:50197 | testmysqldb | Sleep | 1 | | NULL |
| 4215 | root | xxx.xx.xxx.xxx:50198 | testmysqldb | Sleep | 3 | | NULL |
+------+-----------------+----------------------+-------------+---------+----------+------------------------+------------------+
What does the "number" after the term hostname and a colon (:) mean? It generally appears when a remote connection is made, on Linux and appears even for local connection on Windows.
Thanks in Advance!!
It's the client's port number used for the connection.
"xxx.xx.xxx.xxx:50197" means that there's an open connection from IP address "xxx.xx.xxx.xxx" and port 50197, towards your MySQL server (probably on port 3306.)
This is the client's TCP Port.
You connect to the server for example on default port 3306 but the client uses a different port on its side of the connection. This port is listed there.
It's client port number i.e. a connection gets open between two processes (on the same host or physically apart) using sockets - Socket is host_ip:port_num
So when we connect to a mysql (on same machine - localhost or remote server) a connection is opened i.e.
client_ip:xxxxx --> mysql_ip:3306 (3306 is default for Mysql, can use other port as well)
Example:
xxx.xx.xxx.xxx:50197
We send query and receive response from the mysql (mysql_ip:3306) at client_ip:50197

Sequel Pro or other Non-Socket connections refused in MySql 5.6.26

Ok, I have looked at about 15 answers to this question on here, and none of them work.
I am on a Mac, running OSX 10.10, MySql 5.6.26
Whenever I try to connect with Sequel Pro I get the following:
Unable to connect to host 127.0.0.1 because access was denied.
My users are in my MySql dump, with grant on all of them to .
+----------------------+----------+
| Host | User |
+----------------------+----------+
| % | macfelon |
| 127.0.0.1 | macfelon |
| 127.0.0.1 | root |
| ::1 | root |
| localhost | |
| localhost | macfelon |
| localhost | root |
| robert-macbook.local | |
| robert-macbook.local | root |
+----------------------+----------+
My port is open at 3306. It connects with the Socket option, but not on Standard.
Nothing I can find seems to resolve this for me.
Are you absolutely certain it's actually listening on port 3306? There's an answer here: https://dba.stackexchange.com/questions/108522/mac-os-x-10-10-mysql-5-6-26-accessible-from-cli-but-not-port-3306 where others are reporting that the configuration in my.cnf is being ignored, and for some reason MySQL 5.6.26 configures /Library/LaunchDaemons/com.oracle.oss.mysql.mysqld.plist to use port 3307 by default. Modifying that .plist to port 3306 solved this issue for me.

Connecting to MySQL from remote host using wildcards not working

Hi so I am trying to set up my mysql server to accept remote connections from all hostnames by using a % sign in the place of hostname. This however still will not let me connect. My MySQL user table is as follows:
mysql> select host,user from user;
+----------------+------------------+
| host | user |
+----------------+------------------+
| % | guest |
| 127.0.0.1 | root |
| 197.87.180.*** | guest |
| ::1 | root |
| localhost | |
| localhost | debian-sys-maint |
| localhost | root |
| raspberrypi | |
| raspberrypi | root |
+----------------+------------------+
I am able to connect to the server using the username guest from my remote computer with IP address 197.87.180.* but any other IP it gives me the error Access denied for user 'guest'#'197.87..' (using password: YES)
Anyone know the reason for this or what I am doing wrong?
Verify the privileges for guest#'%' with the following:
show grants for 'guest'#'%';
Also, user guest can have a different password for host 197.87.180.*** and another password for host %.
You can verify if the password is the same for both instances of guest user by executing the following query: select host,user,password from mysql.user;
If they don't have the same password, you can change it by executing the following: set password for guest#'%' = password('newPwd');
Cheers,
JF