Verifying security

I've got a couple security questions for you guys.

Is there a way to verify I've set a password for mysql's root?

I was previously running mysqld without --skip-networking until I
noticed port: 3306 was referenced in mysqld.err. The strange thing is
'nmap localhost' never found an open 3306 port and I wasn't running a
firewall on that system. Does this behavior make sense to anyone?

- Grant

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

RE: Verifying security

To verify that root has a password, do the following:

1) service mysql restart --skip-grant-tables
2) In MySQL, SELECT CONCAT('''',user,'''@''',host,'''') mysql_user,password=
from mysql.user where user=3D'root';
This will show every host that root can login as along with the PASSWORD fu=
nction-encrypted of the root password
3) service mysql restart

Make sure you have the user 'root'@'localhost';

With regard to --skip-networking, keep in mind that this blocks TCP/IP DB C=
onnections
This will not block socket-based connections
i.e., this will block 'root'@'127.0.0.1', but not 'root'@'localhost'

Rolando A. Edwards
MySQL DBA (CMDBA)

155 Avenue of the Americas, Fifth Floor
New York, NY 10013
212-625-5307 (Work)
201-660-3221 (Cell)
AIM & Skype : RolandoLogicWorx
redwards@logicworks.net
http://www.linkedin.com/in/rolandoedwards


-----Original Message-----
From: Grant [mailto:emailgrant@gmail.com]=20
Sent: Monday, November 29, 2010 9:02 AM
To: mysql@lists.mysql.com
Subject: Verifying security

I've got a couple security questions for you guys.

Is there a way to verify I've set a password for mysql's root?

I was previously running mysqld without --skip-networking until I
noticed port: 3306 was referenced in mysqld.err. The strange thing is
'nmap localhost' never found an open 3306 port and I wasn't running a
firewall on that system. Does this behavior make sense to anyone?

- Grant

--=20
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dredwards@logicworks=
..net


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: Verifying security

without flags to tell it otherwise, nmap only scan ports 1-1024,
higher numbered ports would have to be specified via nmap -p 1-5000
but see how much longer it takes.

- michael dykman


On Mon, Nov 29, 2010 at 9:02 AM, Grant wrote:
> I've got a couple security questions for you guys.
>
> Is there a way to verify I've set a password for mysql's root?
>
> I was previously running mysqld without --skip-networking until I
> noticed port: 3306 was referenced in mysqld.err. =A0The strange thing is
> 'nmap localhost' never found an open 3306 port and I wasn't running a
> firewall on that system. =A0Does this behavior make sense to anyone?
>
> - Grant
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: =A0 =A0http://lists.mysql.com/mysql?unsub=3Dmdykman@gmail=
..com
>
>



--=20
=A0- michael dykman
=A0- mdykman@gmail.com

=A0May the Source be with you.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: Verifying security

> without flags to tell it otherwise, nmap only scan ports 1-1024,
> higher numbered ports would have to be specified via nmap -p 1-5000
> but see how much longer it takes.

Bingo. That was it. I see now that I've had port 3306 open until
recently. I'm working on verifying that the mysql users have
passwords.

- Grant


>> I've got a couple security questions for you guys.
>>
>> Is there a way to verify I've set a password for mysql's root?
>>
>> I was previously running mysqld without --skip-networking until I
>> noticed port: 3306 was referenced in mysqld.err. =A0The strange thing is
>> 'nmap localhost' never found an open 3306 port and I wasn't running a
>> firewall on that system. =A0Does this behavior make sense to anyone?
>>
>> - Grant

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: Verifying security

> To verify that root has a password, do the following:
>
> 1) service mysql restart --skip-grant-tables
> 2) In MySQL, SELECT CONCAT('''',user,'''@''',host,'''') mysql_user,passwo=
rd from mysql.user where user=3D'root';
> This will show every host that root can login as along with the PASSWORD =
function-encrypted of the root password
> 3) service mysql restart
>
> Make sure you have the user 'root'@'localhost';

I remembered my root mysql password and I was able to log into mysql
with it. I tested for a "mysql" user with:

SELECT CONCAT('''',user,'''@''',host,'''') mysql_user,password from
mysql.user where user=3D'mysql';

and I got "Empty set (0.00 sec)". Can I issue a mysql command that
will check for other mysql users?

I just confirmed that I've had port 3306 open until recently. If
mysql root has a strong password and I don't have any mysql users
besides root, can I consider myself safe?

Are there any other essential steps I should take for a secure mysql
installation?

Is it necessary for mysql root to have a password since I'm the only
user on the system and port 3306 is closed?

> With regard to --skip-networking, keep in mind that this blocks TCP/IP DB=
Connections
> This will not block socket-based connections
> i.e., this will block 'root'@'127.0.0.1', but not 'root'@'localhost'

So --skip-networking keeps me safe from remote attackers but not from
local ones?

- Grant


> I've got a couple security questions for you guys.
>
> Is there a way to verify I've set a password for mysql's root?
>
> I was previously running mysqld without --skip-networking until I
> noticed port: 3306 was referenced in mysqld.err. =A0The strange thing is
> 'nmap localhost' never found an open 3306 port and I wasn't running a
> firewall on that system. =A0Does this behavior make sense to anyone?
>
> - Grant

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg