MariaDB is a community-developed relational database management system and a drop-in replacement for MySQL. It is fast, scalable, and ships with a rich set of storage engines, plugins, and features that make it suitable for production workloads ranging from small web apps to large-scale enterprise systems.
This guide walks through installing MariaDB on Ubuntu 24.04 and Debian 13 using both default OS repositories and the official MariaDB.org repository. We cover securing the instance, configuring remote access, creating databases and users, firewall rules, binary logging, and backups with mariadb-dump.
Prerequisites
- A server running Ubuntu 24.04 LTS or Debian 13 with at least 1 GB RAM
- Root or sudo access
- Ports 3306/TCP (MySQL protocol) open for client connections
- A stable internet connection for package downloads
Step 1: Install MariaDB from Default OS Repositories
Both Ubuntu 24.04 and Debian 13 ship MariaDB in their default repositories. Ubuntu 24.04 provides MariaDB 10.11 LTS, while Debian 13 ships MariaDB 11.8 LTS. If you need the latest LTS version on Ubuntu, skip to Step 2.
Update the package index and install MariaDB server and client packages.
sudo apt update
sudo apt install mariadb-server mariadb-client -yAfter installation completes, verify the installed version.
mariadb --versionOn Ubuntu 24.04, the output confirms MariaDB 10.11:
mariadb Ver 15.1 Distrib 10.11.8-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapperOn Debian 13, you get MariaDB 11.8 directly from the default repository:
mariadb Ver 15.1 Distrib 11.8.6-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapperIf the default version suits your needs, skip ahead to Step 3. Otherwise, continue to the next step to install the latest MariaDB LTS from the official repository.
Step 2: Install MariaDB from the Official MariaDB.org Repository
The official MariaDB repository provides the latest LTS release – currently MariaDB 11.8. This method is recommended on Ubuntu 24.04 where the default repos only offer 10.11. On Debian 13, the default repos already ship 11.8, so this step is mainly for Ubuntu users.
First, remove any existing MariaDB packages if you installed them from default repos in Step 1.
sudo apt remove mariadb-server mariadb-client --purge -y
sudo apt autoremove -yInstall the required dependencies for adding third-party repositories.
sudo apt install apt-transport-https curl lsb-release -yImport the MariaDB GPG signing key and add it to the trusted keyring.
sudo curl -fsSL https://supplychain.mariadb.com/mariadb-keyring-2019.gpg -o /usr/share/keyrings/mariadb-keyring-2019.gpgCreate the MariaDB repository source file. On Ubuntu 24.04, run the following.
echo "deb [signed-by=/usr/share/keyrings/mariadb-keyring-2019.gpg] https://mirror.mariadb.org/repo/11.8/ubuntu noble main" | sudo tee /etc/apt/sources.list.d/mariadb.listOn Debian 13, use the Debian mirror path instead.
echo "deb [signed-by=/usr/share/keyrings/mariadb-keyring-2019.gpg] https://mirror.mariadb.org/repo/11.8/debian trixie main" | sudo tee /etc/apt/sources.list.d/mariadb.listUpdate the package cache and install MariaDB.
sudo apt update
sudo apt install mariadb-server mariadb-client mariadb-backup -yConfirm the installed version is from the MariaDB.org repository.
mariadb --versionThe output should show MariaDB 11.8:
mariadb Ver 15.1 Distrib 11.8.6-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapperStep 3: Start and Enable MariaDB Service
MariaDB typically starts automatically after installation. Verify the service is running and enable it to start on boot.
sudo systemctl enable --now mariadbCheck the service status to confirm it is active.
sudo systemctl status mariadbThe output should show the service as active and running:
● mariadb.service - MariaDB 11.8.6 database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; preset: enabled)
Active: active (running) since Sat 2026-03-22 10:15:32 UTC; 2min ago
Docs: man:mariadbd(8)
https://mariadb.com/kb/en/library/systemd/
Main PID: 2145 (mariadbd)
Status: "Taking your SQL requests now..."
Tasks: 14 (limit: 4647)
Memory: 82.4M
CPU: 1.234s
CGroup: /system.slice/mariadb.service
└─2145 /usr/sbin/mariadbdStep 4: Secure MariaDB Installation
MariaDB ships with a security script that locks down the default installation. It removes anonymous users, disables remote root login, drops the test database, and reloads privilege tables. Run it immediately after installation.
sudo mariadb-secure-installationThe script prompts you through several security questions. Here are the recommended answers for a production setup:
Enter current password for root (enter for none): [Press Enter]
Switch to unix_socket authentication [Y/n]: Y
Change the root password? [Y/n]: Y
New password: [Enter a strong password]
Re-enter new password: [Confirm password]
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: YAfter the script completes, verify you can log in with root using unix socket authentication.
sudo mariadb -u rootYou should land at the MariaDB prompt. Run a quick status check.
MariaDB [(none)]> STATUS;The output confirms the server version, uptime, and connection details:
--------------
mariadb Ver 15.1 Distrib 11.8.6-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
Connection id: 35
Current database:
Current user: root@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 11.8.6-MariaDB-1:11.8.6+maria~ubu2404
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
UNIX socket: /run/mysqld/mysqld.sock
Uptime: 5 min 22 sec
--------------Type EXIT; to leave the MariaDB shell.
Step 5: Configure Remote Access
By default, MariaDB only listens on localhost (127.0.0.1). To allow connections from remote clients, you need to change the bind address. This is covered in detail in the MariaDB remote connection guide.
Open the MariaDB configuration file.
sudo vi /etc/mysql/mariadb.conf.d/50-server.cnfFind the bind-address directive under the [mysqld] section and change it from 127.0.0.1 to 0.0.0.0 to listen on all interfaces. You can also set it to a specific IP if you only want to bind to one network interface.
[mysqld]
bind-address = 0.0.0.0Restart MariaDB to apply the change.
sudo systemctl restart mariadbVerify MariaDB is now listening on all interfaces by checking port 3306.
ss -tlnp | grep 3306The output should show MariaDB listening on 0.0.0.0:
LISTEN 0 80 0.0.0.0:3306 0.0.0.0:* users:(("mariadbd",pid=2145,fd=22))Step 6: Create Databases and Users
With MariaDB secured and running, create a database and a dedicated user for your application. Never use the root account for application connections.
Connect to the MariaDB shell as root.
sudo mariadb -u rootCreate a new database. Replace appdb with your actual database name.
CREATE DATABASE appdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;Create a user that can connect from localhost only – suitable for applications running on the same server.
CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'StrongPassword123!';Grant the user full privileges on the application database.
GRANT ALL PRIVILEGES ON appdb.* TO 'appuser'@'localhost';
FLUSH PRIVILEGES;For remote access from a specific IP (for example, an application server at 10.0.1.50), create a user with that host scope.
CREATE USER 'appuser'@'10.0.1.50' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON appdb.* TO 'appuser'@'10.0.1.50';
FLUSH PRIVILEGES;Verify the user grants are correct.
SHOW GRANTS FOR 'appuser'@'localhost';The output confirms the privileges assigned to the user:
+---------------------------------------------------------------------------------------------------------------+
| Grants for appuser@localhost |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `appuser`@`localhost` IDENTIFIED BY PASSWORD '*6C8989366EAF6BCBBAC56A48D606341C7D35319E' |
| GRANT ALL PRIVILEGES ON `appdb`.* TO `appuser`@`localhost` |
+---------------------------------------------------------------------------------------------------------------+Type EXIT; to leave the MariaDB shell. If you ever forget the root password, see our guide on resetting MariaDB root password on Ubuntu and Debian.
Step 7: Configure UFW Firewall for MariaDB
If you enabled remote access in Step 5, you need to open port 3306 in the firewall. Ubuntu and Debian commonly use UFW. For firewalld on Ubuntu, the process is slightly different.
Allow MariaDB connections from a specific subnet – adjust the source IP range to match your network.
sudo ufw allow from 10.0.1.0/24 to any port 3306 proto tcp comment 'MariaDB'If you need to allow connections from any source (not recommended for production), use this instead.
sudo ufw allow 3306/tcp comment 'MariaDB'Reload UFW and verify the rule was added.
sudo ufw reload
sudo ufw status numberedThe output lists active rules including the new MariaDB entry:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 3306/tcp ALLOW IN 10.0.1.0/24 # MariaDBStep 8: Configure Binary Logging
Binary logging records all changes to the database, which is essential for point-in-time recovery and replication. It is disabled by default on standalone installs and should be enabled on any production server.
Open the MariaDB server configuration file.
sudo vi /etc/mysql/mariadb.conf.d/50-server.cnfAdd the following settings under the [mysqld] section. These enable binary logging with row-based format and set a 7-day retention period.
[mysqld]
# Binary logging for replication and point-in-time recovery
log_bin = /var/log/mysql/mariadb-bin
binlog_format = ROW
server_id = 1
expire_logs_days = 7
max_binlog_size = 100MCreate the binary log directory and set proper ownership.
sudo mkdir -p /var/log/mysql
sudo chown mysql:mysql /var/log/mysqlRestart MariaDB to apply the binary logging configuration.
sudo systemctl restart mariadbVerify binary logging is active by checking the log status inside the MariaDB shell.
sudo mariadb -u root -e "SHOW MASTER STATUS\G"The output should show the current binary log file and position:
*************************** 1. row ***************************
File: mariadb-bin.000001
Position: 344
Binlog_Do_DB:
Binlog_Ignore_DB:If you plan to set up replication, see our guide on configuring MariaDB replication on Ubuntu and Debian.
Step 9: Backup MariaDB with mariadb-dump
Regular backups are non-negotiable for any production database. The mariadb-dump utility creates logical backups that can be restored on any MariaDB or MySQL-compatible server.
Back up a single database.
sudo mariadb-dump -u root --single-transaction --routines --triggers appdb > /backup/appdb_$(date +%F).sqlBack up all databases on the server.
sudo mariadb-dump -u root --all-databases --single-transaction --routines --triggers > /backup/all_databases_$(date +%F).sqlThe --single-transaction flag ensures a consistent backup without locking InnoDB tables, which is critical for production databases that serve live traffic. The --routines and --triggers flags include stored procedures and triggers in the dump.
Create the backup directory if it does not exist.
sudo mkdir -p /backup
sudo chown mysql:mysql /backupTo restore a backup, pipe the SQL file back into the MariaDB client.
sudo mariadb -u root appdb < /backup/appdb_2026-03-22.sqlFor large databases, consider using mariadb-backup (Mariabackup) instead. It performs physical hot backups that are significantly faster for databases over 10 GB.
Automate daily backups with a cron job. This example runs at 2:00 AM and keeps backups for 14 days.
echo '0 2 * * * root mariadb-dump -u root --all-databases --single-transaction --routines --triggers | gzip > /backup/all_databases_$(date +\%F).sql.gz && find /backup -name "*.sql.gz" -mtime +14 -delete' | sudo tee /etc/cron.d/mariadb-backupVerify the cron job file was created correctly.
sudo cat /etc/cron.d/mariadb-backupConclusion
MariaDB is now installed, secured, and configured on your Ubuntu 24.04 or Debian 13 server. The setup covers remote access, user management, firewall rules, binary logging for point-in-time recovery, and automated backups with mariadb-dump.
For production hardening, enable TLS encryption for client connections, set up MariaDB monitoring with Prometheus and Grafana, and consider deploying a MariaDB Galera Cluster for high availability.
