These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for mysql not securised ? on the new forum.
Web Hosting and Cloud Computing Control Panels
Ok, i found a solution to secure mysql after Virtualmin install. I think, it will be good to add it in next version or in FAQ, it's a very strong hole if it's détected.
After install of virtualmin, mysql is open for external connexion with full rights for user "root" without password.
Anybody that connect to the server and use "root" as login can access all the mysql databases without restriction.
On CentOS 4.3 i do this (I ma sure, that works with other distros)
1°) connect in ssh to the server, and after login as superuser. Type this
>mysql_secure_installation
Answer the questions, the most important is the first who ask you to set a password to mysql "root" user. Disable external logins (only localhost logins allowed) and disable anonymous access.
2°) Return to Virtualmin, click on "webmin" and go to "servers" section and "Database server"
At this point, Webmin will ask you to enter a login and password to access mysql databases. Enter your login/password that you set with "mysql_secure_installation" command. After that, Virtualmin database creation/modifications functions will works again and fully securised.
I hope i don't make mistakes :)
Hey Mathieu,
I had no idea MySQL installed by default with absolutely zero security. That's a bit sickening, if true. I've never used MySQL for anything, but I always assumed it acted just like PostgreSQL and didn't allow remote administrative connections by default, and only allowed the actual root user to connect locally as root. I'll have to do a bit of digging on this...it seems almost unimaginable that CentOS would ship packages that are insecure by default. The MySQL packages are not ours, and we don't any changes to them--we just start the MySQL server and set it to start on boot.
Anyway, if this is actually the way MySQL works out of the box, I'll file a bug with RHEL/CentOS/Fedora, as that would be dead wrong behavior.
--
Check out the forum guidelines!
I test mysql on debian and ubuntu dapper and it's packaged identicaly as Redhat/centos, no security by defaut, runing the script "mysql_security_config" is needed for secure it.
I am surprised too but perhaps it's because they think there is good administrator behind lol :p
Its always been my experience that a fresh install of mysql creates a single user account for root@localhost with no password. Although it shouldnt be possible for anyone to connect remotely, even if you have opened 3306 on the firewall. When installing from RPM it does give some big warnings about this, but if its installed with the OS you're not going to see that.
I'm used to having to fix this issue when i do an install, but it should be fairly simple for VM to fix during the install process so that its not left open by someone less familiar with MySQL.
Chris
Related ticket at https://virtualmin.com/node/34049
- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community