How to Secure MySQL 8.0 on Ubuntu 24.04

A default MySQL 8.0 installation has several security weaknesses that should be addressed before going to production. This guide walks through MySQL hardening best practices on Ubuntu 24.04 LTS.

Tested and valid on:

• Ubuntu 24.04 LTS

Prerequisites

• Ubuntu 24.04 LTS server with MySQL 8.0 installed
• A user with sudo privileges

Step 1 – Run mysql_secure_installation

If not already done, run the security wizard:

sudo mysql_secure_installation

Set a strong root password, remove anonymous users, disable remote root login, and drop the test database.

Step 2 – Remove the Test Database

Log in and verify the test database is gone:

sudo mysql
SHOW DATABASES;
DROP DATABASE IF EXISTS test;
EXIT;

Step 3 – Disable Remote Root Login

Confirm root can only log in locally:

sudo mysql
SELECT host, user FROM mysql.user WHERE user='root';
EXIT;

If any row shows a non-localhost host, remove it:

DELETE FROM mysql.user WHERE user='root' AND host != 'localhost';
FLUSH PRIVILEGES;

Step 4 – Create Application-Specific Users

Never connect applications as root. Create a dedicated user:

sudo mysql
CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'StrongAppPass123!';
GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'appuser'@'localhost';
FLUSH PRIVILEGES;

Step 5 – Bind MySQL to Localhost

If remote connections are not needed, bind to localhost:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

Set:

bind-address = 127.0.0.1

Restart MySQL:

sudo systemctl restart mysql

Step 6 – Enable MySQL Error Logging

Ensure error logging is active (check in mysqld.cnf):

log_error = /var/log/mysql/error.log

Step 7 – Enable Audit Logging (optional)

Enable the general query log to track all SQL activity (use sparingly in production — it’s verbose):

sudo mysql
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/log/mysql/general.log';

Step 8 – Review User Privileges

Audit all users and their privileges:

sudo mysql
SELECT user, host, plugin FROM mysql.user;
SHOW GRANTS FOR 'appuser'@'localhost';

Conclusion

Your MySQL 8.0 installation on Ubuntu 24.04 LTS is now hardened. Regularly audit user privileges, keep MySQL updated, and monitor logs for unusual activity.