Install MySQL Server with Secure Configuration on Linux VMs (2026 Guide)

Sunny Smith, Co-Founder, Massed Compute June 2026

Deploy MySQL Server 8 with production-ready security defaults including anonymous user removal, test database cleanup, localhost-only binding, and proper application user scoping on Ubuntu VMs.

MySQL Database Ubuntu Security Server Setup

🤖 AI Agent Available

This entire setup runs as a tested, machine-readable recipe in the Massed Compute MCP. Skip the manual steps and deploy with natural language commands.

MySQL remains one of the most popular relational databases for web applications, but default installations often leave security gaps. This guide walks through installing MySQL Server 8 on Ubuntu 24.04 with proper security hardening: removing anonymous accounts, dropping test databases, restricting root access to localhost, and creating scoped application users.

You’ll get a production-ready MySQL instance that binds only to localhost, runs behind UFW firewall protection, and follows MySQL security best practices from day one.

Technology Stack

Component	Version	Purpose
MySQL Server	8.0	Relational database engine
Ubuntu Server	24.04 LTS	Operating system
UFW	Default	Uncomplicated firewall

Requirements

Resource	Minimum	Recommended
vCPU	2 cores	4+ cores
RAM	4 GB	8+ GB
Storage	20 GB	100+ GB SSD
OS	Ubuntu 24.04	Ubuntu 24.04 LTS

Live Pricing

Massed Compute VM Pricing

Pricing fetched from the Massed Compute inventory API on June 18, 2026.
SKU	Description	vCPU	RAM	Storage	Price	Capacity
`cpu_mini_amd_epyc`	Mini AMD EPYC	8	32 GiB	400 GB	$0.12/hr	38
`cpu_small_amd_epyc`	Small AMD EPYC	14	40 GiB	800 GB	$0.22/hr	38
`cpu_medium_amd_epyc`	Medium AMD EPYC	28	80 GiB	1600 GB	$0.44/hr	20
`cpu_large_amd_epyc`	Large AMD EPYC	52	160 GiB	3200 GB	$0.82/hr	8
`cpu_x_large_amd_epyc`	X-Large AMD EPYC	100	320 GiB	6400 GB	$1.56/hr	4
`cpu_dedicated_amd_epyc`	Dedicated AMD EPYC	126	440 GiB	10000 GB	$1.98/hr	3

The cpu_mini_amd_epyc instance provides ample resources for development and small production MySQL workloads at $0.12/hr.

Step-by-Step Deployment

Launch Ubuntu VM

Create a new Ubuntu 24.04 VM in the Massed Compute console:

Image: Ubuntu Server 24.04
Instance: cpu_mini_amd_epyc or larger
Region: Select any available region
SSH Key: Attach your public key for access

Wait for the VM to reach Running status before proceeding.

Set Environment Variables

Define your database configuration locally. Replace these values with your actual requirements:

DB_NAME='your_app_db'
DB_USER='app_user'
DB_PASSWORD='your_secure_app_password_16_chars_min'
MYSQL_ROOT_PASSWORD='your_secure_root_password_16_chars_min'
SSH_USER='ubuntu'
SSH_HOST='YOUR_VM_IP'
SSH_PRIVATE_KEY_PATH='~/.ssh/your_key'

Security Note: Use strong passwords with at least 16 characters. Database names and usernames should contain only letters, digits, and underscores.

Install and Configure MySQL

Run this command from your local workstation to install MySQL with security hardening:

ssh -i $SSH_PRIVATE_KEY_PATH $SSH_USER@$SSH_HOST 'bash -s' <<'REMOTE'
set -euo pipefail

# Use your actual values here
DB_NAME='your_app_db'
DB_USER='app_user'
DB_PASSWORD='your_secure_app_password_16_chars_min'
MYSQL_ROOT_PASSWORD='your_secure_root_password_16_chars_min'

export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y mysql-server ufw

# Configure firewall
sudo ufw allow OpenSSH
sudo ufw --force enable

# Bind MySQL to localhost only
sudo sed -i "s/^bind-address.*/bind-address = 127.0.0.1/" /etc/mysql/mysql.conf.d/mysqld.cnf
sudo systemctl enable --now mysql
sudo systemctl restart mysql

# Security hardening and user setup
sudo mysql <


        This script performs several security tasks:
        
          Sets a strong root password
          Removes anonymous user accounts
          Drops the test database
          Restricts root access to localhost only
          Creates your application database and user
          Configures UFW firewall with SSH access


    
    
      4
      
        Verify Installation
        Test the MySQL installation and security configuration:
        ssh -i $SSH_PRIVATE_KEY_PATH $SSH_USER@$SSH_HOST 'bash -s' <<'REMOTE'
set -euo pipefail

# Use your actual values here
DB_NAME='your_app_db'
DB_USER='app_user'
DB_PASSWORD='your_secure_app_password_16_chars_min'
MYSQL_ROOT_PASSWORD='your_secure_root_password_16_chars_min'

# Test application user access
mysql -u"$DB_USER" -p"$DB_PASSWORD" -h 127.0.0.1 "$DB_NAME" -e \
  "CREATE TABLE IF NOT EXISTS recipe_smoke(id int primary key);
   INSERT IGNORE INTO recipe_smoke VALUES (1);
   SELECT COUNT(*) AS rows_ok FROM recipe_smoke;"

# Verify security cleanup
mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -NBe \
  "SELECT COUNT(*) FROM mysql.user WHERE User='' OR (User='root' AND Host NOT IN ('localhost'));" | grep -qx '0'

# Check service status
sudo systemctl is-active --quiet mysql
sudo ufw status | grep -q '^Status: active'
sudo ss -ltnp | grep -E '127\.0\.0\.1:3306'

echo MYSQL_SMOKE_OK
REMOTE
        If all checks pass, you'll see MYSQL_SMOKE_OK output. This confirms:
        
          Application user can create tables and insert data
          No anonymous or remote root accounts exist
          MySQL service is active
          UFW firewall is enabled
          MySQL binds only to localhost (127.0.0.1:3306)
        
      
    
    
    Troubleshooting
    
    Root Access Denied
    If you get "Access denied" errors for the root user after configuration, make sure you're using the correct password and connecting as root:
    mysql -uroot -p
    Enter your MYSQL_ROOT_PASSWORD when prompted.
    
    Application User Login Issues
    Application users must connect to 127.0.0.1 or localhost. Verify the connection string includes the correct host:
    mysql -u app_user -p -h 127.0.0.1 your_app_db
    
    Remote Access Requirements
    This configuration restricts MySQL to localhost connections for security. If you need remote access:
    
      Consider using an application proxy or VPN instead
      For direct access, create host-specific users and add UFW rules for trusted IPs only
      Never expose MySQL with default root credentials to the internet
    
    
    Firewall Blocking Connections
    UFW blocks all incoming connections by default except SSH. Check the firewall status:
    sudo ufw status verbose
    
    Skip All of This: Deploy with an AI Agent
    
    This entire MySQL setup guide exists as a tested, machine-readable recipe in the Massed Compute MCP. Instead of running each command manually, you can deploy with natural language through an AI agent.
    
    Add this server config to your MCP-compatible AI client:
    
    {
  "mcpServers": {
    "massed-compute": {
      "type": "http",
      "url": "https://vm.massedcompute.com/api/mcp",
      "headers": { "Authorization": "Bearer MC_TOKEN" }
    }
  }
}
    
    Then say:
    
    
      "Set up a secure MySQL server on Ubuntu with localhost binding, firewall protection, and a database called 'myapp' with user 'app_user'. Use a Mini AMD EPYC instance."
    
    
    The agent will match your request against the recipe catalog, provision the right VM shape, run the installation and security hardening steps above, and report back with connection details. If any step fails, the agent stops and shows you exactly what went wrong.
    
    This recipe was last tested on June 10, 2026 with a cpu_mini_amd_epyc instance running Ubuntu 24.04.
    
    
      Ready to Deploy MySQL?
      Launch your secure MySQL database server in minutes with Massed Compute's high-performance AMD EPYC instances.
      Think it. Build it. Scale it.
      
        Start Building
        View Pricing
      
    
    
    Quick Setup Reference
    
    For experienced users, here's the essential command sequence:
    
    # 1. Launch Ubuntu 24.04 VM with SSH key
# 2. Set your variables: DB_NAME, DB_USER, DB_PASSWORD, MYSQL_ROOT_PASSWORD
# 3. Install and secure:
sudo apt-get update && sudo apt-get install -y mysql-server ufw
sudo ufw allow OpenSSH && sudo ufw --force enable
sudo sed -i "s/^bind-address.*/bind-address = 127.0.0.1/" /etc/mysql/mysql.conf.d/mysqld.cnf
sudo systemctl enable --now mysql && sudo systemctl restart mysql

# 4. Run MySQL security script with your variables
# 5. Test with: mysql -u app_user -p -h 127.0.0.1 your_app_db
    
    Frequently Asked Questions
    
    
      01Can I change the MySQL root password after installation?
      Yes, connect as root and run: ALTER USER 'root'@'localhost' IDENTIFIED BY 'new_password'; Make sure to use a strong password with at least 16 characters.
    
    
    
      02How do I create additional database users?
      Connect as root and run: CREATE USER 'username'@'localhost' IDENTIFIED BY 'password'; GRANT privileges ON database.* TO 'username'@'localhost'; FLUSH PRIVILEGES; Replace 'privileges' with specific permissions like SELECT, INSERT, UPDATE, DELETE.
    
    
    
      03Is this configuration suitable for production?
      Yes, this setup includes production security practices: localhost binding, firewall protection, anonymous user removal, and strong authentication. Consider additional monitoring, backup strategies, and performance tuning for high-traffic applications.
    
    
    
      04How do I back up my MySQL databases?
      Use mysqldump for logical backups: mysqldump -u root -p database_name > backup.sql For automated backups, consider setting up cron jobs or using MySQL Enterprise Backup for physical backups.
    
    
    
      05What if I need to allow remote connections?
      Modify /etc/mysql/mysql.conf.d/mysqld.cnf to bind to 0.0.0.0, create users with specific host restrictions like 'user'@'specific.ip.address', and configure UFW to allow port 3306 from trusted IPs only. Avoid exposing MySQL to the entire internet.