How to secure MySQL server

OS level Security:

  • Never run the MySQL server as the linux ‘root’ user. Always create the separate user for MySQL and start/stop MySQL server with it.
  • If the data directories are located under $mysql_home/data dir then make sure that directory and all subdirectories should have only read and write privileges for the mysql user.
  • Always secure MySQL configuration files. i.e my.cnf. If possible than keep it in different location rather than /etc (which is default location).
  • Always secure MySQL log files like binary log, query log, error.log etc. Because through that anyone can get the information about data, tables etc.
  • Always secure .mysql_history file of mysql or any super linux user. Because that file can contain commands, passwords in palin text.

Accounts and Privileges:

  • Secure mysql root account. There should not be root user account other than localhost. Remove anonymous account for root.
  • Always check ‘aborted_connects’ status variable. This variable value will be high when someone will attack on your DB server.
  • After installing and start mysql, run mysql_secure_installation script for setting mysql root password, remove anonymous accounts, remove remote access and delete test db.
  • Never allow access to mysql.user table or mysql database to any non-admin users.
  • Don’t grant SUPER, FILE, and PROCESS privilege to non-admin users.
  • Always restrict user accounts to only those schemas which they need to.
  • If data is sensitive than consider to use SSL for data communications.

Data and Auditing:

  • If logic is not complex than use mysql stored procedure/functions/triggers to secure your data as it can prevent sql-injection attacks.
  • Always delete “test” database from the prod servers.
  • Set appropriate SQL_MODE option to secure your data and keep data integrity high.
  • Always secure DB backup files.
  • Use binary, general query, error log for auditing activity.

 

Leave a Reply

Your email address will not be published. Required fields are marked *