MySQL 101: Installation, care, and feeding on Ubuntu

If that's not something you're comfortable with, you'll want to set a password on the root account itself.To change the password on a MySQL user account, we can use the ALTER USER command:mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'super-strong-password'; MySQL users who have privileges on *.* will have privileges to work with the new database by default, but that's not how you'll want applications to access it.One very common practice is to create a username that matches the database name and has privileges only on that database—this is the account you would then feed to your application (for example, a web application like WordPress).mysql> grant all on dbname.* to 'dbname'@'localhost' identified by 'another-password';Query OK, 0 rows affected, 1 warning (0.00 sec)Remember—the new account you just created can only log in from the hostname you specify after the @. If you need the account to work from any hostname, you can use the MySQL wildcard character %:mysql> grant all on dbname.* to 'dbname'@'%' identified by 'another-password';Query OK, 0 rows affected, 1 warning (0.00 sec)In this case, the dbname user account will be able to log in from any network location—assuming that network location can reach MySQL at all, of course. Or you might prefer ufw allow in on eth0 to any port 3306 to allow any connections coming in over eth0 (but not any coming in over eth1 or other interfaces).If you're using iptables, the syntax is quite similar—for example, iptables -A INPUT -p tcp --dport 3306 -s 1.2.3.0/24 -j ACCEPT—but you'll also need to know how, where, and when you're saving and loading your iptables ruleset, which is unfortunately beyond our scope today.Once you've changed your bind-address and created any necessary firewall rules to limit who can hammer on your newly exposed MySQL instance, you can restart MySQL using systemd's systemctl command:jim@locutus:~$ sudo systemctl restart mysqlBe careful to never expose MySQL to the Internet at large—if you change your bind-address to something that might expose MySQL to the entire world, create (and test!) the system firewall rule that prevents it from being so broad before restarting MySQL and actually applying the more liberal bind-address setting.You must login or create an account to comment.Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.