28

Following the hardening theme....

What are some best practices, recommendations, required reading for securing MySQL.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91

2 Answers2

26
  • Run only MySQL on the Server - If possible run only MySQL on the server and remove any unused services.
  • Firewall - Limit access by IP address to only the servers / clients that require access.
  • User Privileges - When creating users always give the minimum amount of privileges and expand as needed. Also try to avoid using '%' wildcard for hosts and instead limit to the host that requires access.
  • Bind Address Appropriately - If you only require remote access to the server within the same network and the machine has both an external IP and an internal network address. Setup MySQL to only listen on the internal address.
  • Enable Logging - Enable logging if the database doesn’t handle to many queries.
  • mysql_secure_installation - Use the mysql_secure_installation utility which does a number of things including removing anonymous-user accounts, removes the test database etc.
  • Root Account Accessible Local Only - Its best to limit the root account to be accessible only directly from the machine. The mysql_secure_installation does allow you to remove any remote access for root accounts easily. I usually then either ssh to the machine and use the mysql command prompt or MySQL Workbench has functionality to tunnel over SSH.

Additional Resources

Lucavon
  • 3
  • 2
Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
  • Also introduce an abstraction layer in your software that manages risks such as sql-injection and other such threats. Also note that you can not always run SQL on the same server as your web server (PCI regulations), meaning the concern of firewalls is really a configuration issue to setting up connections on need only and dropping the rest. – Incognito Dec 15 '10 at 15:16
7

I suppose the usual OS methods (including fail2ban if remote ssh admin is required), then block all external access to the MySQL port, or allow a whitelist to connect if absolutely necessary. Set a password for the mysqladmin user.

After that, the mysqladmin user should only be allowed to connect from localhost and should be the only user granted any privileges via the 'user' table - all other users denied access by default (i.e. in the user table) but given specific grants to individual databases.

Note that you should not expose MySQL directly on the internet. If you must have remote data access use a VPN (e.g. stunnel with client verification).

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
symcbean
  • 18,278
  • 39
  • 73