In this article we will give you some tips on securing your MySQL or MariaDB database.
1. Secure MySQL installation
This step includes the following
– Setting a password for the root account, if you didn’t set it during installation;
– Disabling remote root user login by removing root accounts that are accessible from outside the localhost;
– Removing accounts of anonymous users. Note that users with very simple passwords are also insecure and should be removed or their passwords changed.
– Removing the “test» database which by default can be accessed by all users even anonymous ones;
– Disabling remote access. Remote access to your database makes it easier to exploit security vulnerabilities, so another step is to ensure that every user can connect to the database only from specific hosts.
2. Obfuscate access to your database
By default MySQL runs on port 3306, and its superuser is called ‘root’. To make bad guy’s attempts to access your database more difficult, it would be wise to change port number and root account name. To change port, edit my.cnf file and set „port“ variable to other value. To create another superuser, use GRANT ALL … WITH GRANT OPTION command and then remove existing ‘root’ accounts.
3. Disable Local_infile
Prevent access to underlying file system within MySQL by disabling local_infile under [mysqld] section of the my.cnf file:
4. Secure your network
It would be the best option that MySQL would not be available through the network and all connection would be handled locally (Unix socket on Linux and Named pipes and shared memory on Windows). To do this you need to add skip-networking variable into my.cnf file that will prevent using TCP/IP communication. As other option, you can use your firewall to allow traffic only from specific hosts to the database server. Note that you can allow access to your database from specific IP addresses with DataSunrise.
5. Enable logging and use audit means
The best way to understand what happens on your database server is to use logs. You can enable loggin by adding the following variable under [mysqld] section:
With auditing you can collect data on who executed what and when. You can use MySQL plugins for auditing or an external application such as DataSunrise
6. Don’t run MySQL commands from command line
All commands you type on the terminal are stored in a history file. Thus an attacker can extract passwords from there. We strongly recommend not to type passwords in the command line (don’t use -password parameter).
7. Set appropriate permissions on MySQL files
Make sure that you’ve set appropriate permissions for all server files. The /etc/my.conf file should be writable to root only to stop other users from changing server configuration.
chmod 644 /etc/my.cnf
8. Create database users for specific applications and assign proper file privileges
Use separate database users for each application running on the server. Give access to the database only to users with proper rights to use a given application.
Database security also depends on the operating system used on the server. Make sure that MySQL files and logs are accessible only to properly authorized users. Typically, only root and database admin users should have access to MySQL files.
9. Encrypt your data in transit
In most cases, query results are transferred from the database server to the client over network. Data also can be transferred between MySQL servers. In any case network traffic can be intercepted or sniffed and your data would be exposed. The best way to prevent this is to encrypt the traffic between a client and the database server using SSL.
10. Encrypt your data at rest.
Use data encryption to encrypt data stored in your database. Data at rest encryption also can be required by security standards such as HIPAA or PCI DSS. Data encryption can be implemented on multiple levels: you can encrypt the complete disk or just the database. Encryption also can be implemented on client application level. All modern MySQL variants provide built-in data encryption. You can also use DataSunrise’s MySQL security solution with data encryption functionality to defend your database