MySQL remains one of the most widely used relational database management systems. Ubuntu 26.04 ships with MySQL 8.4 from the default repositories, giving you a modern database engine without third-party sources. This guide covers installation, security hardening with mysql_secure_installation, user management, and safe remote access configuration.
[!TIP] Real-World Scenario: You’re building a classic WordPress blog or a high-traffic Laravel app, and you need a database that just works without a Ph.D. in computer science. MySQL 8.4 on Ubuntu 26.04 is that reliable workhorse that won’t let you down when the traffic starts spikes.
sudo apt install mysql-server— install MySQLsudo systemctl status mysql— verify service is runningsudo mysql_secure_installation— run security hardeningsudo mysql— log in as root- Edit
/etc/mysql/mysql.conf.d/mysqld.cnffor remote access sudo ufw allow from client-ip to any port 3306— open firewall
Prerequisites
Before you start, you need:
- Ubuntu 26.04 server with sudo access
- Basic familiarity with SQL commands
How do I install MySQL?
MySQL is available directly from Ubuntu 26.04 repositories. Update your package index and install:
sudo apt update
sudo apt install mysql-serverThe service starts automatically after installation. Verify it’s running:
sudo systemctl status mysqlYou should see active (running) in the output. Check the installed version:
mysql --versionAt this point MySQL is installed and running, but not yet hardened. The next step is critical for any system accessible beyond local development.
How do I secure my installation?
The mysql_secure_installation script hardens a fresh MySQL deployment by removing default insecure settings. Run it immediately after installation:
sudo mysql_secure_installationScript prompts explained:
VALIDATE PASSWORD component: The script asks whether to enable password validation. This enforces password strength requirements:
- LOW (0): Passwords must be at least 8 characters
- MEDIUM (1): Adds mixed case, numbers, and special characters
- STRONG (2): Also requires passwords not match dictionary words
For production, select MEDIUM or STRONG.
Root password step (skipped): On Ubuntu 26.04, the MySQL root account uses auth_socket authentication by default. The script skips the root password prompt because you can log in with sudo mysql. If you later want password-based authentication for root, use ALTER USER.
Remove anonymous users: Answer Yes to remove anonymous accounts that allow anyone to connect without a dedicated user.
Disallow root login remotely: Answer Yes to ensure root can only connect from localhost.
Remove the test database: Answer Yes to drop the default test database intended for testing only.
Reload privilege tables: Answer Yes to apply all changes immediately.
Your MySQL installation is now hardened.
How do I manage users and databases?
Never use the root account for applications. Create dedicated users with limited privileges.
Connect as Root
sudo mysqlThe sudo mysql command opens the MySQL shell with root privileges using auth_socket authentication.
Create a Database
CREATE DATABASE app_db;Create a Dedicated User
CREATE USER 'app_admin'@'localhost' IDENTIFIED BY 'Your_Strong_P@ssw0rd';The 'localhost' portion restricts this user to local connections only.
How do I grant privileges?
GRANT ALL PRIVILEGES ON app_db.* TO 'app_admin'@'localhost';
FLUSH PRIVILEGES;This grants all privileges on app_db only, not the entire MySQL server.
Test the New User
Exit the MySQL shell (EXIT;), then test the new user:
mysql -u app_admin -pEnter the password when prompted. Verify access:
SHOW DATABASES;You should see app_db listed.
MySQL vs MariaDB: MariaDB is a community-developed fork of MySQL that maintains compatibility with MySQL protocols. Both are available in Ubuntu 26.04. MariaDB includes additional storage engines, while MySQL follows Oracle’s development roadmap. For most applications, they are interchangeable.
How do I configure remote access?
By default, MySQL listens only on 127.0.0.1. To allow remote connections, modify the configuration and firewall.
Exposing MySQL to the network increases your attack surface. Only enable remote access when necessary, and always restrict connections to specific IP addresses.
Edit MySQL Configuration
Open the MySQL daemon configuration file:
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnfChange the bind-address directive:
bind-address = 0.0.0.0For more restrictive binding, specify a particular IP address instead of 0.0.0.0.
If your remote clients use the MySQL X Protocol (port 33060), also update:
mysqlx-bind-address = 0.0.0.0Restart MySQL:
sudo systemctl restart mysqlCreate a Remote User
Create a user that specifies the remote IP address:
sudo mysqlCREATE USER 'app_admin'@'192.168.1.72' IDENTIFIED BY 'Your_Strong_P@ssw0rd';
GRANT ALL PRIVILEGES ON app_db.* TO 'app_admin'@'192.168.1.72';
FLUSH PRIVILEGES;Replace 192.168.1.72 with the client’s actual IP. For broader subnet access, use a wildcard like '192.168.1.%' (less secure).
Open Firewall
Allow MySQL port for a specific IP:
sudo ufw allow from 192.168.1.72 to any port 3306Verify the rule:
sudo ufw statusTest Remote Connection
From the remote client:
mysql -u app_admin -p -h server-ipTLS Connection Error: MySQL 8+ enables TLS by default with auto-generated self-signed certificates. You may encounter:
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chainMariaDB client: Use --skip-ssl
mysql -u app_admin -p -h server-ip --skip-sslMySQL client: Use --ssl-mode=DISABLED
mysql -u app_admin -p -h server-ip --ssl-mode=DISABLEDCheck your client with mysql --version. For production, copy the server’s CA certificate (/var/lib/mysql/ca.pem) to the client and connect with --ssl-ca=/path/to/ca.pem to maintain encrypted connections.
Summary
- Install MySQL with
sudo apt install mysql-server - Harden with
sudo mysql_secure_installation— remove anonymous users, disable remote root, drop test database - Create dedicated users with
CREATE USERand grant limited privileges - Use
auth_socketfor root access viasudo mysql - Configure remote access by editing
bind-addressin/etc/mysql/mysql.conf.d/mysqld.cnf - Restrict firewall rules to specific IP addresses with
ufw allow from ip to any port 3306
FAQ
How do I check which version of MySQL is installed?
Run mysql --version or mysqld --version. This displays the exact version number and build information.
What is the difference between MySQL and MariaDB? MariaDB is a community-developed fork of MySQL maintaining compatibility with MySQL protocols. MariaDB includes additional storage engines and features, while MySQL follows Oracle’s development roadmap. For most applications, they are interchangeable.
How do I reset a forgotten MySQL root password?
Stop MySQL with sudo systemctl stop mysql, start in safe mode with sudo mysqld_safe --skip-grant-tables &, connect with mysql -u root, run ALTER USER 'root'@'localhost' IDENTIFIED BY 'NewPassword';, then restart normally. On Ubuntu with auth_socket, you can simply run sudo mysql without a password.
Can I run MySQL and MariaDB simultaneously? No, MySQL and MariaDB conflict because they share port 3306 and many file paths. You must choose one or manually configure separate ports and data directories (not recommended).
What to Read Next
- Install and Configure PostgreSQL on Ubuntu 26.04 — compare MySQL with PostgreSQL
- Install and Configure PHP on Ubuntu 26.04 — connect PHP applications to MySQL
- Set Up Samba File Sharing on Ubuntu 26.04 — share database backups across your network
Related Articles
Deepen your understanding with these curated continuations.
Install and Configure PostgreSQL on Ubuntu 26.04
Complete guide to install PostgreSQL 18 on Ubuntu 26.04. Set up roles, databases, remote access, authentication methods, and security hardening.
Install and Configure Git on Ubuntu 26.04
Complete guide to install Git on Ubuntu 26.04. Configure user identity, generate SSH keys for GitHub/GitLab, master essential workflow commands, and customize with aliases.
Install .deb Packages on Ubuntu 26.04
Complete guide to install .deb packages on Ubuntu 26.04 using apt, dpkg, and GDebi. Handle dependencies, verify installations, and troubleshoot common errors.