MySQL / MariaDB: install and configure
In this article you'll install MariaDB — the modern standard "MySQL" for Linux — on your mHost VPS, run mysql_secure_installation to lock it down, create a database with a dedicated user and privileges, configure bind-address for local-only or remote access, and connect to the server with the mysql client.
What you'll need
- An mHost VPS running Ubuntu 22.04/24.04, Debian 11/12, or AlmaLinux/Rocky Linux 8/9.
- SSH access as root or a user with sudo.
Step 1. Install MariaDB
Ubuntu / Debian
apt update
apt install mariadb-serverAlmaLinux / Rocky Linux
dnf install mariadb-serverThe mariadb-server package is in the standard repository for both distro families (AppStream on AlmaLinux/Rocky) — no third-party repo needed. The client — the mysql command — is installed alongside the server automatically.
Check that it installed:
mysql --versionStep 2. Enable and start MariaDB
systemctl enable --now mariadb
systemctl status mariadbenable --now both adds MariaDB to startup and starts it immediately. The status should show active (running).
Step 3. Secure the installation: mysql_secure_installation
A fresh MariaDB install isn't locked down yet — it has anonymous users, a test database, and a root account with no restriction on remote login. The mysql_secure_installation script fixes all of that in one pass:
mysql_secure_installationThe script asks a series of questions:
- Enter current password for root — a fresh install has no password yet, just press Enter.
- Switch to unix_socket authentication (the wording varies between versions, and on Ubuntu/Debian the question may not appear at all — that login method is already enabled by default there) — say yes (
Y): it lets root log in without a password, but only from the server itself as the system root user, and it's more secure than a password. - Change the root password — if you're keeping unix_socket auth, a separate root password isn't required, so you can answer
n; if you want a password in addition to the socket, answerYand set a strong one. - Remove anonymous users —
Y. - Disallow root login remotely —
Y: root shouldn't be able to log in over the network at all. - Remove test database and access to it —
Y. - Reload privilege tables now —
Y.
Step 4. Create a database, a user, and privileges
Connect to the MariaDB console as root:
mysqlInside the console (the MariaDB [(none)]> prompt), run three statements in a row — replace app_db, app_user, and especially STRONG_PASSWORD_HERE with your own values:
CREATE DATABASE app_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD_HERE';
GRANT ALL PRIVILEGES ON app_db.* TO 'app_user'@'localhost';CREATE DATABASE— theutf8mb4charset correctly stores any character, including emoji and most languages; plainutf8(withoutmb4) in MySQL/MariaDB is a legacy 3-byte variant not used for new projects.CREATE USER— the@'localhost'part restricts the user to connections from this same server (over a unix socket or127.0.0.1). Remote access needs a separate entry — see step 5.GRANT— privileges are granted only on theapp_dbdatabase, not on every database on the server (*.*). That's enough for an ordinary application; don't userootfor application connections.
Check that the privileges were granted correctly:
SHOW GRANTS FOR 'app_user'@'localhost';Exit the console:
EXIT;Step 5. bind-address: local-only or remote access
bind-address determines which network interface MariaDB accepts TCP connections on. Check the current value straight from the client:
mysql -e "SHOW VARIABLES LIKE 'bind_address';"or at the OS level:
ss -tlnp | grep 3306Local access only (default, recommended)
If the database is only needed by an application on this same VPS (PHP, Django, FastAPI, Node.js — doesn't matter, they all connect over localhost), there's no need to open port 3306 to the outside at all — this is the safest option.
On Ubuntu/Debian this is already the default in the package's config:
# /etc/mysql/mariadb.conf.d/50-server.cnf — [mysqld]
bind-address = 127.0.0.1# /etc/my.cnf.d/mariadb-server.cnf — [mysqld]
bind-address = 127.0.0.1After editing the file, restart MariaDB — restart, not reload: bind-address is only applied at startup:
systemctl restart mariadbRemote access
If you need to connect to the database from outside — from another server or your own computer — change bind-address to the VPS's public IP address, or to 0.0.0.0 (listen on all interfaces):
bind-address = 0.0.0.0and restart MariaDB the same way as above.
Then add a separate user for connecting from that external address specifically — the @'localhost' entry from step 4 won't match remote connections:
CREATE USER 'app_user'@'203.0.113.10' IDENTIFIED BY 'STRONG_PASSWORD_HERE';
GRANT ALL PRIVILEGES ON app_db.* TO 'app_user'@'203.0.113.10';Replace 203.0.113.10 with the actual IP address you'll be connecting from. Instead of '%' (allow from any IP), try to specify a concrete address or subnet — that way the password isn't your only line of defense.
Ubuntu / Debian (ufw)
ufw allow from 203.0.113.10 to any port 3306 proto tcpAlmaLinux / Rocky (firewalld)
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.10" port protocol="tcp" port="3306" accept'
firewall-cmd --reloadStep 6. Connect with the client
Locally, on the VPS itself
As root, login is passwordless, via the unix socket (see step 3):
mysqlAs the application user — with a password:
mysql -u app_user -p app_dbThe client will prompt for the password (STRONG_PASSWORD_HERE from step 4) and open the MariaDB [app_db]> prompt.
Remotely, from another computer
Install a client on the machine you'll be connecting from:
- Ubuntu/Debian:
apt install mariadb-client - AlmaLinux/Rocky/Fedora:
dnf install mariadb - macOS (Homebrew):
brew install mariadb
Connect, specifying the server's IP:
mysql -h SERVER_IP -u app_user -p app_dbGUI clients understand the same protocol too — DBeaver, TablePlus, HeidiSQL, MySQL Workbench: point them at the same host, port 3306, username, and password.
SHOW DATABASES;app_db should be in the list.
What's next
Sooner or later you'll need to restore the data in this database — don't put off setting up regular backups, see "Database backups". If you haven't restricted access to the server with a firewall yet, go back to the "Setting up the UFW firewall" article — without it, an open port 3306 (or really any service) stays exposed to scanning and brute-forcing.