MariaDB security is essential to protect your database from unauthorized access, data breaches, and other threats. With MariaDB 11.4+, security is enhanced by default with SSL enabled automatically.
mysql_secure_installationThis script helps harden the security of a MariaDB installation by addressing common security vulnerabilities.
sudo mysql_secure_installation
During the script, you will be asked to:
Managing user privileges effectively is crucial. Here are best practices:
GRANT SELECT ON your_database.* TO 'user'@'localhost';
CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON your_database.* TO 'user'@'localhost';
Use strong, unique passwords for all MariaDB accounts.
Limit remote access to specific users and IP addresses. For example, to allow a user to connect only from a specific IP:
GRANT ALL PRIVILEGES ON your_database.* TO 'user'@'192.168.1.100' IDENTIFIED BY 'password';
REVOKE command to remove unnecessary permissions.REVOKE ALL PRIVILEGES ON your_database.* FROM 'user'@'localhost';
MariaDB supports encryption for both data-at-rest and data-in-transit.
Encrypt sensitive data stored on disk:
ALTER TABLE your_table ENCRYPTED=YES;
Starting with MariaDB 11.4, SSL is enabled by default with automatic self-signed certificate generation. For production environments, consider using proper certificates:
/etc/mysql/mariadb.conf.d/50-server.cnf):[mysqld]
ssl-ca = /etc/mysql/certs/ca-cert.pem
ssl-cert = /etc/mysql/certs/server-cert.pem
ssl-key = /etc/mysql/certs/server-key.pem
ssl-cipher = 'TLSv1.2'
require_secure_transport = ON
sudo systemctl restart mariadb
mariadb -u root -p -e "SHOW VARIABLES LIKE 'ssl%';"
By default, MariaDB allows root to connect only from localhost, which is a good security practice. Ensure remote root access is disabled by checking the /etc/mysql/mariadb.conf.d/50-server.cnf:
[mysqld]
bind-address = 127.0.0.1
If the bind-address is set to 127.0.0.1, this ensures MariaDB only listens for connections from the local machine. You can also specifically disable root access remotely by not granting it permissions outside localhost.
MariaDB includes an optional Audit Plugin that logs queries, connection attempts, and other activities to help you monitor database activity and detect suspicious behavior. To enable it:
INSTALL PLUGIN server_audit SONAME 'server_audit.so';
SET GLOBAL server_audit_logging=ON;
Configure what to log by setting the options for the audit plugin, such as server_audit_events, which controls what is logged (CONNECT, QUERY, etc.).
3306.sudo ufw allow from <trusted-ip> to any port 3306
Security vulnerabilities are discovered over time, and new versions often include security patches. Make sure your MariaDB installation is regularly updated:
# Debian/Ubuntu
sudo apt update
sudo apt upgrade mariadb-server
# RHEL-family
sudo dnf update mariadb-server
Regularly review MariaDB logs for signs of unauthorized access or suspicious activity. Enable query logging if needed:
[mysqld]
general_log = 1
general_log_file = /var/log/mysql/mysql.log
You can also configure slow query logging to detect inefficient queries that might be vulnerable to injection attacks.
[mysqld]
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2
To prevent SQL injection:
Regularly back up your database and ensure backups are encrypted and stored securely. Use MariaDBβs mysqldump or other tools like Percona XtraBackup for consistent backups.
With MariaDB 11.4+, several security features are enabled by default:
--ssl-verify-server-cert enabledEnforce strong passwords using the validate_password plugin:
INSTALL PLUGIN validate_password SONAME 'validate_password.so';
SET GLOBAL validate_password.policy = MEDIUM;
SET GLOBAL validate_password.length = 12;
Limit connections per user to prevent resource exhaustion:
CREATE USER 'limited_user'@'%' IDENTIFIED BY 'password' WITH MAX_CONNECTIONS_PER_HOUR 100;
Set SQL mode to prevent certain unsafe operations:
[mysqld]
sql_mode = "STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
By following these practices, you can significantly enhance the security of your MariaDB installation. Always adapt these recommendations based on your specific environment and threat model. With MariaDB 11.4+, security is enhanced by default with SSL enabled automatically, providing a stronger security posture out of the box.