CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON . TO 'newuser'@'localhost';
FLUSH PRIVILEGES;
DROP USER ‘newuser’@‘localhost’;
SET PASSWORD FOR 'newuser'@'localhost' = PASSWORD('mypass');
GRANT [type of permission] ON [database name].[table name] TO ‘[username]’@'localhost’; REVOKE [type of permission] ON [database name].[table name] FROM ‘[username]’@‘localhost’;
CREATE DATABASE 'database';
DROP DATABASE 'database';
###Disable or restrict remote access Consider whether MySQL will be accessed from the network or only from its own server. If remote access is used, ensure that only defined hosts can access the server. This is typically done through TCP wrappers, iptables, or any other firewall software or hardware available on the market. To restrict MySQL from opening a network socket, the following parameter should be added in the[mysqld] section of my.cnf or my.ini: skip-networking The file is located in the "C:\Program Files\MySQL\MySQL Server 5.1" directory on the Windows operating system or "/etc/my.cnf" or "/etc/mysql/my.cnf" on Linux. This line disables the initiation of networking during MySQL startup. Please note that a local connection can still be established to the MySQL server. Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the [mysqld] section of my.cnf bind-address=127.0.0.1 You may not be willing to disable network access to your database server if users in your organization connect to the server from their machines or the web server installed on a different machine. In that case, the following restrictive grant syntax should be considered: mysql> GRANT SELECT, INSERT ON mydb.* TO 'someuser'@'somehost';
###Change root username and password The default administrator username on the MySQL server is "root". Hackers often attempt to gain access to its permissions. To make this task harder, rename "root" to something else and provide it with a long, complex alphanumeric password. To rename the administrator’s username, use the rename command in the MySQL console: mysql> RENAME USER root TO new_user; The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user: mysql> use mysql; mysql> update user set user="new_user" where user="root"; mysql> flush privileges; To change a user’s password, use the following command-line command: mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass'); It is also possible to change the password using the "mysqladmin" utility: shell> mysqladmin -u username -p password newpass
###Remove the "test" database MySQL comes with a "test" database intended as a test space. It can be accessed by the anonymous user, and is therefore used by numerous attacks. To remove this database, use the drop command as follows: mysql> drop database test; Or use the "mysqladmin" command: shell> mysqladmin -u username -p drop test
###Change root username and password The default administrator username on the MySQL server is "root". Hackers often attempt to gain access to its permissions. To make this task harder, rename "root" to something else and provide it with a long, complex alphanumeric password. To rename the administrator’s username, use the rename command in the MySQL console: mysql> RENAME USER root TO new_user; The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user: mysql> use mysql; mysql> update user set user="new_user" where user="root"; mysql> flush privileges; To change a user’s password, use the following command-line command: mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass'); It is also possible to change the password using the "mysqladmin" utility: shell> mysqladmin -u username -p password newpass
##Remove Anonymous and obsolete accounts The MySQL database comes with some anonymous users with blank passwords. As a result, anyone can connect to the database To check whether this is the case, do the following: mysql> select * from mysql.user where user=""; In a secure system, no lines should be echoed back. Another way to do the same: mysql> SHOW GRANTS FOR ''@'localhost'; mysql> SHOW GRANTS FOR ''@'myhost'; If the grants exist, then anybody can access the database and at least use the default database"test". Check this with: shell> mysql -u blablabla To remove the account, execute the following command: mysql> DROP USER ""; The MySQL "DROP USER" command is supported starting with MySQL version 5.0. If you use an older version of MySQL, you can remove the account as follows: mysql> use mysql; mysql> DELETE FROM user WHERE user=""; mysql> flush privileges;