Tools: How To Install and Secure MariaDB on Ubuntu

MariaDB is an open-source relational database management system and a popular drop-in replacement for MySQL. Created by Michael “Monty” Widenius, one of the original MySQL developers, MariaDB maintains full compatibility with MySQL while offering performance improvements, additional storage engines, and a commitment to remaining open source. It is commonly used as the database component of the LAMP (Linux, Apache, MySQL/MariaDB, PHP/Python/Perl) stack and LEMP (Linux, Nginx, MySQL/MariaDB, PHP) stack. This tutorial walks you through installing MariaDB on an Ubuntu server, securing the installation, creating an administrative user with password authentication, and verifying that the database server is running correctly. You will also find troubleshooting tips and security best practices for production deployments. Tested on Ubuntu 20.04, 22.04, and 24.04. The commands in this guide work across all currently supported Ubuntu LTS releases. The default MariaDB version in the Ubuntu repository varies by release: Ubuntu 20.04 ships MariaDB 10.3, Ubuntu 22.04 ships MariaDB 10.6, and Ubuntu 24.04 ships MariaDB 10.11. All installation and configuration steps remain the same regardless of the Ubuntu version or MariaDB version you receive from the default repositories. The quick version of this installation consists of three steps: To follow this tutorial, you will need a server running Ubuntu (20.04, 22.04, or 24.04). This server should have a non-root administrative user and a firewall configured with UFW. Set this up by following the initial server setup guide for Ubuntu. If you are working with firewall rules for the first time, the How To Set Up a Firewall with UFW on Ubuntu tutorial covers everything you need. Ubuntu’s default APT repositories include MariaDB. The version depends on your Ubuntu release: Note: If you need a newer MariaDB version than what your Ubuntu release provides by default, you can add the official MariaDB repository for your Ubuntu version. For most use cases, the version from Ubuntu’s default repository works well. First, update the package index on your server with apt: Then install the package: This installs the MariaDB server along with the client tools (mariadb, mysqladmin, mysqldump, and others) that you will use to interact with the database. Start MariaDB if it is not already running: Enable MariaDB to start automatically on boot: The default configuration leaves your MariaDB installation without a root password and with some insecure defaults. The next step addresses that with the included security script. For new MariaDB installations, the next step is to run the included security script. This script changes several less secure default options, including removing remote root logins and sample users. Run the security script: This takes you through a series of prompts where you can make changes to your MariaDB installation’s security options. The first prompt asks for the current database root password. Since you have not set one up yet, press ENTER to indicate “none”. The next prompt asks whether you want to set up a database root password. On Ubuntu, the root account for MariaDB is tied closely to automated system maintenance, so you should not change the configured authentication methods for that account. Doing so could allow a package update to break the database system by removing access to the administrative account. Type N and then press ENTER. Later in this tutorial, you will cover how to set up a separate administrative account for password access if socket authentication is not appropriate for your use case. From there, you can press Y and then ENTER to accept the defaults for all the subsequent questions. This will remove some anonymous users and the test database, disable remote root logins, and load these new rules so that MariaDB immediately implements the changes you have made. On Ubuntu, MariaDB uses unix_socket authentication for the root user by default instead of password-based authentication. This means the database identifies you by your operating system username and the socket connection rather than requiring a password. When you run sudo mariadb, your system sends your OS credentials over the Unix socket, and MariaDB grants access if those credentials match a valid database user. This approach has several benefits: For interactive use and remote access, create a separate user with password authentication, which Step 3 covers. On Ubuntu systems running MariaDB, the root MariaDB user is set to authenticate using the unix_socket plugin by default rather than with a password. This allows for greater security and usability in many cases, but it can also complicate things when you need to allow an external program (such as phpMyAdmin or a web application) administrative rights. Because the server uses the root account for tasks like log rotation and starting and stopping the server, it is best not to change the root account’s authentication details. Changing credentials in the /etc/mysql/debian.cnf configuration file may work initially, but package updates could potentially overwrite those changes. Instead of modifying the root account, the package maintainers recommend creating a separate administrative account for password-based access. To do this, create a new account called admin with the same capabilities as the root account, but configured for password authentication. Open up the MariaDB prompt from your terminal: Then create a new user with root privileges and password-based access. Change the username and password to match your preferences: Flush the privileges to ensure that they are saved and available in the current session: Following this, exit the MariaDB shell: Finally, test the MariaDB installation. When installed from the default repositories, MariaDB starts running automatically. To test this, check its status: You will receive output similar to the following: If MariaDB is not running, you can start it with the command sudo systemctl start mariadb. For an additional check, try connecting to the database using the mysqladmin tool, which is a client that lets you run administrative commands. For example, this command connects to MariaDB as root using the Unix socket and returns the version: You will receive output similar to this: If you configured a separate administrative user with password authentication, you can perform the same operation by typing: This confirms that MariaDB is up and running and that your user is able to authenticate successfully. Once MariaDB is installed and running, here are essential commands for day-to-day management: To check which version of MariaDB is installed on your system: To see all active databases: Beyond the mysql_secure_installation script, there are additional steps to harden your MariaDB server for a production environment. By default, MariaDB listens only on localhost (127.0.0.1), which means it does not accept remote connections. You can verify this by checking the bind-address directive in the MariaDB configuration: If you need remote database access, change the bind-address to your server’s private IP address (not 0.0.0.0 in production) and configure your firewall to allow connections only from trusted IP addresses: Warning: Setting bind-address to 0.0.0.0 exposes your database to the entire internet. Always restrict access to specific IP addresses or private network ranges in production. Periodically review which user accounts have access to your database: Remove any accounts that are no longer needed: The slow query log helps you identify queries that take too long to run, which is useful for performance tuning: This logs any query that takes longer than 2 seconds. Check the log location with: Here are solutions for problems you may encounter during or after installation. If MariaDB does not start, check the error log: Common causes include: If you receive “Access denied” errors: If the plugin shows unix_socket, you must use sudo mariadb to connect as root. If the security script fails, it is often because the MariaDB service is not running. Start it first: Since MariaDB is a fork of MySQL, you may wonder which one to use. Here is a quick comparison: For most Ubuntu server deployments, MariaDB is the recommended choice. It ships in the default repositories, receives timely security updates, and maintains compatibility with MySQL tools and libraries. If you are building a LAMP stack, MariaDB works as a direct substitute for MySQL. Yes. MariaDB was designed to be fully compatible with MySQL at the protocol and API level. Applications that work with MySQL will work with MariaDB without code changes. The mysql command-line client, mysqldump, and libraries like MySQL Connector work with both. MariaDB also supports the same SQL syntax, data types, and replication protocols. If you use unix_socket authentication (the Ubuntu default), you do not need a root password. Connect with sudo mariadb instead. If you set a root password and forgot it, follow the How To Reset Your MySQL or MariaDB Root Password guide, which walks you through stopping the service, starting it without permission checks, and resetting the password. Ubuntu configures MariaDB to use unix_socket authentication for the root account so that system maintenance tasks (log rotation, package upgrades, automated backups) work without storing a database password in plain text. This is more secure because it ties database access to your operating system user permissions. Only users who can run sudo can access the MariaDB root account. Run mariadb --version or connect to the database and run SELECT VERSION();. The output shows the version number, such as 10.6.16-MariaDB on Ubuntu 22.04 or 10.11.6-MariaDB on Ubuntu 24.04. No. The MariaDB and MySQL packages on Ubuntu conflict because they provide the same files and use the same port (3306). You can install one or the other, but not both simultaneously. If you need to migrate between them, use mysqldump to export and import your databases. In this guide, you installed MariaDB on Ubuntu, secured it using the mysql_secure_installation script, and learned how the unix_socket authentication model works on Ubuntu. You also had the option to create a separate administrative user with password authentication, and you tested the MariaDB server to verify everything is working. Beyond the basics, this guide covered essential administration commands, production security hardening, troubleshooting common issues, and how MariaDB compares to MySQL. Now that you have a running and secure MariaDB server, here are some resources to continue building on your setup: Ready to deploy MariaDB in production? DigitalOcean Managed Databases handle provisioning, maintenance, backups, and scaling for you so you can focus on building your application. You can also spin up a DigitalOcean Droplet running Ubuntu and follow this tutorial to set up MariaDB yourself. Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases. Learn more about our products I help Businesses scale with AI x SEO x (authentic) Content that revives traffic and keeps leads flowing | 3,000,000+ Average monthly readers on Medium | Sr Technical Writer @ DigitalOcean | Ex-Cloud Consultant @ AMEX | Ex-Site Reliability Engineer(DevOps)@Nutanix This textbox defaults to using Markdown to format your answer. You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link! It’s recommended to run “FLUSH PRIVILEGES;” right away “mysql_secure_installation” step to apply your new root password. After installing mariadb-server, you may actually have to start it (via sudo systemctl start mariadb.service) before running sudo mysql_secure_installation. Nice tutorial, but why don´t you explain, how to access the database from an external client? 90% this will be an use case. Please complete your information! Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation. Full documentation for every DigitalOcean product. The Wave has everything you need to know about building a business, from raising funding to marketing your product. Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter. New accounts only. By submitting your email you agree to our Privacy Policy Scale up as you grow — whether you're running one virtual machine or ten thousand. Sign up and get $200 in credit for your first 60 days with DigitalOcean.* *This promotional offer applies to new accounts only.