How To Install and Secure MariaDB on Ubuntu

MariaDB is an open-source relational database management system and a popular drop-in replacement for MySQL. Created by Michael “Monty” Widenius, one of the original MySQL developers, MariaDB maintains full compatibility with MySQL while offering performance improvements, additional storage engines, and a commitment to remaining open source. It is commonly used as the database component of the LAMP (Linux, Apache, MySQL/MariaDB, PHP/Python/Perl) stack and LEMP (Linux, Nginx, MySQL/MariaDB, PHP) stack.

This tutorial walks you through installing MariaDB on an Ubuntu server, securing the installation, creating an administrative user with password authentication, and verifying that the database server is running correctly. You will also find troubleshooting tips and security best practices for production deployments.

The quick version of this installation consists of three steps:

• Update your package index using apt
• Install the mariadb-server package using apt. The package also pulls in related tools to interact with MariaDB
• Run the included mysql_secure_installation security script to restrict access to the server

sudo apt update
sudo apt install mariadb-server
sudo mysql_secure_installation

• MariaDB installs from Ubuntu’s default repositories with sudo apt install mariadb-server on Ubuntu 20.04, 22.04, and 24.04.
• Always run mysql_secure_installation after installing to remove anonymous users, disable remote root login, and drop the test database.
• On Ubuntu, the MariaDB root account uses unix_socket authentication by default, meaning you log in with sudo mariadb rather than a password. This is more secure for local administration.
• Create a separate administrative user with password authentication for applications or tools like phpMyAdmin that need password-based database access.
• Use systemctl commands to manage the MariaDB service: start, stop, restart, and status.

To follow this tutorial, you will need a server running Ubuntu (20.04, 22.04, or 24.04). This server should have a non-root administrative user and a firewall configured with UFW. Set this up by following the initial server setup guide for Ubuntu.

If you are working with firewall rules for the first time, the How To Set Up a Firewall with UFW on Ubuntu tutorial covers everything you need.

Ubuntu’s default APT repositories include MariaDB. The version depends on your Ubuntu release:

First, update the package index on your server with apt:

sudo apt update

Then install the package:

sudo apt install mariadb-server

This installs the MariaDB server along with the client tools (mariadb, mysqladmin, mysqldump, and others) that you will use to interact with the database.

Start MariaDB if it is not already running:

sudo systemctl start mariadb.service

Enable MariaDB to start automatically on boot:

sudo systemctl enable mariadb.service

The default configuration leaves your MariaDB installation without a root password and with some insecure defaults. The next step addresses that with the included security script.

For new MariaDB installations, the next step is to run the included security script. This script changes several less secure default options, including removing remote root logins and sample users.

Run the security script:

sudo mysql_secure_installation

This takes you through a series of prompts where you can make changes to your MariaDB installation’s security options. The first prompt asks for the current database root password. Since you have not set one up yet, press ENTER to indicate “none”.

Output
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 

The next prompt asks whether you want to set up a database root password. On Ubuntu, the root account for MariaDB is tied closely to automated system maintenance, so you should not change the configured authentication methods for that account. Doing so could allow a package update to break the database system by removing access to the administrative account. Type N and then press ENTER.

Output
. . .
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] N

Later in this tutorial, you will cover how to set up a separate administrative account for password access if socket authentication is not appropriate for your use case.

From there, you can press Y and then ENTER to accept the defaults for all the subsequent questions. This will remove some anonymous users and the test database, disable remote root logins, and load these new rules so that MariaDB immediately implements the changes you have made.

Understanding unix_socket Authentication

On Ubuntu, MariaDB uses unix_socket authentication for the root user by default instead of password-based authentication. This means the database identifies you by your operating system username and the socket connection rather than requiring a password.

When you run sudo mariadb, your system sends your OS credentials over the Unix socket, and MariaDB grants access if those credentials match a valid database user. This approach has several benefits:

• No database password can be brute-forced for the root account
• System-level access controls (who can run sudo) protect the database
• Automated maintenance scripts like logrotate and package upgrades continue to work without storing passwords in configuration files

For interactive use and remote access, create a separate user with password authentication, which Step 3 covers.

On Ubuntu systems running MariaDB, the root MariaDB user is set to authenticate using the unix_socket plugin by default rather than with a password. This allows for greater security and usability in many cases, but it can also complicate things when you need to allow an external program (such as phpMyAdmin or a web application) administrative rights.

Because the server uses the root account for tasks like log rotation and starting and stopping the server, it is best not to change the root account’s authentication details. Changing credentials in the /etc/mysql/debian.cnf configuration file may work initially, but package updates could potentially overwrite those changes. Instead of modifying the root account, the package maintainers recommend creating a separate administrative account for password-based access.

To do this, create a new account called admin with the same capabilities as the root account, but configured for password authentication. Open up the MariaDB prompt from your terminal:

sudo mariadb

Then create a new user with root privileges and password-based access. Change the username and password to match your preferences:

GRANT ALL ON *.* TO 'admin'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

Flush the privileges to ensure that they are saved and available in the current session:

FLUSH PRIVILEGES;

Following this, exit the MariaDB shell:

exit

Finally, test the MariaDB installation.

When installed from the default repositories, MariaDB starts running automatically. To test this, check its status:

sudo systemctl status mariadb

You will receive output similar to the following:

Output
● mariadb.service - MariaDB 10.6.16 database server
     Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2026-02-26 13:38:18 UTC; 3min 55s ago
       Docs: man:mysqld(8)
             https://mariadb.com/kb/en/library/systemd/
   Main PID: 25914 (mysqld)
     Status: "Taking your SQL requests now..."
      Tasks: 31 (limit: 2345)
     Memory: 65.6M
     CGroup: /system.slice/mariadb.service
             └─25914 /usr/sbin/mysqld
. . .

If MariaDB is not running, you can start it with the command sudo systemctl start mariadb.

For an additional check, try connecting to the database using the mysqladmin tool, which is a client that lets you run administrative commands. For example, this command connects to MariaDB as root using the Unix socket and returns the version:

sudo mysqladmin version

You will receive output similar to this:

Output
mysqladmin  Ver 9.1 Distrib 10.6.16-MariaDB, for debian-linux-gnu on x86_64
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Server version  10.6.16-MariaDB-0ubuntu0.22.04.1
Protocol version 10
Connection  Localhost via UNIX socket
UNIX socket  /var/run/mysqld/mysqld.sock
Uptime:   4 min 49 sec

Threads: 7  Questions: 467  Slow queries: 0  Opens: 177  Flush tables: 1  Open tables: 31  Queries per second avg: 1.615

If you configured a separate administrative user with password authentication, you can perform the same operation by typing:

mysqladmin -u admin -p version

This confirms that MariaDB is up and running and that your user is able to authenticate successfully.

Once MariaDB is installed and running, here are essential commands for day-to-day management:

To check which version of MariaDB is installed on your system:

mariadb --version

To see all active databases:

sudo mariadb -e "SHOW DATABASES;"

Beyond the mysql_secure_installation script, there are additional steps to harden your MariaDB server for a production environment.

Restricting Network Access

By default, MariaDB listens only on localhost (127.0.0.1), which means it does not accept remote connections. You can verify this by checking the bind-address directive in the MariaDB configuration:

sudo grep bind-address /etc/mysql/mariadb.conf.d/50-server.cnf

Output
bind-address = 127.0.0.1

If you need remote database access, change the bind-address to your server’s private IP address (not 0.0.0.0 in production) and configure your firewall to allow connections only from trusted IP addresses:

sudo ufw allow from trusted_ip_address to any port 3306

Reviewing User Accounts

Periodically review which user accounts have access to your database:

sudo mariadb -e "SELECT User, Host, plugin FROM mysql.user;"

Remove any accounts that are no longer needed:

DROP USER 'unused_user'@'host';
FLUSH PRIVILEGES;

Enabling the Slow Query Log

The slow query log helps you identify queries that take too long to run, which is useful for performance tuning:

sudo mariadb -e "SET GLOBAL slow_query_log = 'ON'; SET GLOBAL long_query_time = 2;"

This logs any query that takes longer than 2 seconds. Check the log location with:

sudo mariadb -e "SHOW VARIABLES LIKE 'slow_query_log_file';"

Here are solutions for problems you may encounter during or after installation.

MariaDB Fails to Start

If MariaDB does not start, check the error log:

sudo journalctl -u mariadb --no-pager -n 50

Common causes include:

• Port conflict: Another process (such as MySQL) is using port 3306. Check with sudo ss -tlnp | grep 3306.
• Disk space: The data directory (/var/lib/mysql) needs available disk space. Verify with df -h.
• Permission issues: The MariaDB data directory must be owned by the mysql user. Fix with sudo chown -R mysql:mysql /var/lib/mysql.

Cannot Connect to MariaDB

If you receive “Access denied” errors:

1. Verify that MariaDB is running: sudo systemctl status mariadb
2. Try connecting as root with sudo: sudo mariadb
3. Check the authentication plugin for your user:

sudo mariadb -e "SELECT User, Host, plugin FROM mysql.user WHERE User='root';"

If the plugin shows unix_socket, you must use sudo mariadb to connect as root.

mysql_secure_installation Fails with an Error

If the security script fails, it is often because the MariaDB service is not running. Start it first:

sudo systemctl start mariadb
sudo mysql_secure_installation

Since MariaDB is a fork of MySQL, you may wonder which one to use. Here is a quick comparison:

For most Ubuntu server deployments, MariaDB is the recommended choice. It ships in the default repositories, receives timely security updates, and maintains compatibility with MySQL tools and libraries. If you are building a LAMP stack, MariaDB works as a direct substitute for MySQL.

1. Is MariaDB a drop-in replacement for MySQL?

Yes. MariaDB was designed to be fully compatible with MySQL at the protocol and API level. Applications that work with MySQL will work with MariaDB without code changes. The mysql command-line client, mysqldump, and libraries like MySQL Connector work with both. MariaDB also supports the same SQL syntax, data types, and replication protocols.

2. How do I reset the MariaDB root password on Ubuntu?

If you use unix_socket authentication (the Ubuntu default), you do not need a root password. Connect with sudo mariadb instead. If you set a root password and forgot it, follow the How To Reset Your MySQL or MariaDB Root Password guide, which walks you through stopping the service, starting it without permission checks, and resetting the password.

3. Why does MariaDB use unix_socket authentication on Ubuntu?

Ubuntu configures MariaDB to use unix_socket authentication for the root account so that system maintenance tasks (log rotation, package upgrades, automated backups) work without storing a database password in plain text. This is more secure because it ties database access to your operating system user permissions. Only users who can run sudo can access the MariaDB root account.

4. How do I check which version of MariaDB is installed?

Run mariadb --version or connect to the database and run SELECT VERSION();. The output shows the version number, such as 10.6.16-MariaDB on Ubuntu 22.04 or 10.11.6-MariaDB on Ubuntu 24.04.

5. Can I install both MariaDB and MySQL on the same Ubuntu server?

No. The MariaDB and MySQL packages on Ubuntu conflict because they provide the same files and use the same port (3306). You can install one or the other, but not both simultaneously. If you need to migrate between them, use mysqldump to export and import your databases.

In this guide, you installed MariaDB on Ubuntu, secured it using the mysql_secure_installation script, and learned how the unix_socket authentication model works on Ubuntu. You also had the option to create a separate administrative user with password authentication, and you tested the MariaDB server to verify everything is working.

Beyond the basics, this guide covered essential administration commands, production security hardening, troubleshooting common issues, and how MariaDB compares to MySQL.

Now that you have a running and secure MariaDB server, here are some resources to continue building on your setup:

• How To Import and Export Databases in MySQL or MariaDB: Learn to back up and restore your databases using mysqldump.
• An Introduction to Queries in MySQL: Practice writing SQL queries, including SELECT, aggregate functions, and multi-table joins. These queries work identically in MariaDB.
• How To Install the LAMP Stack on Ubuntu: Build a full web application stack with Apache, MariaDB (or MySQL), and PHP.
• How To Install Nginx on Ubuntu: Set up Nginx as your web server and pair it with MariaDB for a LEMP stack.
• How To Install PHP and Set Up a Local Development Environment on Ubuntu: Configure PHP to connect to your MariaDB database for web application development.