A default MySQL installation exposes several security risks — anonymous users, a test database, and root remote login. Beyond the initial security script, additional hardening significantly reduces your attack surface. This guide walks through a thorough MySQL 9 security hardening process on Ubuntu 26.04 LTS.

Tested and valid on:

  • Ubuntu 26.04 LTS

Prerequisites

  • Ubuntu 26.04 LTS with MySQL 9 installed
  • A user with sudo privileges
  • mysql_secure_installation already run

Step 1 – Remove Anonymous Users and Test DB

If not done via mysql_secure_installation:

sudo mysql
DROP USER IF EXISTS ''@'localhost';
DROP USER IF EXISTS ''@'$(hostname)';
DROP DATABASE IF EXISTS test;
FLUSH PRIVILEGES;
exit

Step 2 – Disable Remote Root Login

sudo mysql
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
FLUSH PRIVILEGES;
exit

Step 3 – Change the Root Authentication to Password

For applications that need password-based root (not auth_socket):

sudo mysql
ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'VeryStrongRootPass2026!';
FLUSH PRIVILEGES;
exit

Step 4 – Bind MySQL to Localhost

Prevent external connections unless specifically needed:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

Ensure:

bind-address = 127.0.0.1
sudo systemctl restart mysql

Step 5 – Enable the Error Log

Monitor for suspicious activity:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

Add:

log_error = /var/log/mysql/error.log

Step 6 – Revoke Excessive Privileges

Audit all users with broad privileges:

sudo mysql
SELECT User, Host, Super_priv, Grant_priv FROM mysql.user;

Step 7 – Use UFW to Block External MySQL Access

sudo ufw deny 3306/tcp

Only allow specific trusted IPs if remote access is needed:

sudo ufw allow from 10.0.0.5 to any port 3306

Step 8 – Keep MySQL Updated

sudo apt update && sudo apt upgrade mysql-server -y

Conclusion

MySQL 9 on your Ubuntu 26.04 LTS server is now hardened against the most common attack vectors. Combine this with regular backups, monitoring, and periodic privilege audits to maintain a secure database environment.