Latest news
10 steps to fortify the security of your MySQL installation
Posted on 18 August 2006.
For those who wish to enhance or fortify the security of the MySQL installation the following technical 10 steps are a good start.
Step 1: Run MySQL in a chroot jail
Chroot creates a new root directory structure for an application and restricts the files it can access within the operating system. If your MySQL server gets hacked and the attacker gains a shell on your server all they will see is a restricted environment While chroot can be bypassed it does provide defence in depth and may prove to be invaluable in the event of a MySQL 0-day exploit. Most script kiddies will go for the low hanging fruit and the added difficulty of the chroot jail may just move them along to easier picking.
The steps involved in configuring a chroot jail for MySQL are outside the scope of this article but full details can be found in the article "Securing MySQL: step-by-step".
Step 2: Restrict or disable remote access
MySQL runs on a default port of 3306. If you are running your MySQL server on a separate server from the application server then you should restrict access to this port using a host-based firewall such as IPTables.
If you are running both your application server and your MySQL server on the same server then you can disable networking completely in MySQL and use Unix sockets as the communication channel instead. This stop the MySQL server listening for network connections and further reduces the attack surface of the server.
Step 3: Change default root password and change root username
By default the root MySQL account contains an empty password. This should be changed as soon as your MySQL installation is complete.
It is also a good idea to change the name of the root account to something else. This will create an additional level of obfuscation if an attacker attempts to brute force the password for the root account.
Step 4: Remove anonymous accounts and accounts with empty passwords
MySQL creates accounts with anonymous access by default and, needless to say, these should be removed.
Step 5: Remove sample database
MySQL installs a sample database by default called "test". Best practise dictates that we should remove this.
Step 6: Run MySQL as an unprivileged user
MySQL should always be run as an unprivileged user in order to reduce the potential damage to the operating system and other processes in the event of a successful attack against MySQL.
Step 7: Grant minimum privileges for database users
When making connections to the MySQL database from your application you should use an account with only the minimum permissions to perform its required actions. This is in line with the principle of least privilege.
Step 8: Enable MySQL logging and restrict access to logs
Almost all startup scripts for MySQL now have logging configured but you should always ensure that MySQL is logging to the /var/log/ directory to make analysis of logs easier in an incident response situation.
Step 9: Encrypt data stored in the database using MySQL built-in functions
If the data being stored in the database is sensitive then it should ideally be encrypted. MySQL provides inbuilt SQL functions to encrypt and decrypt data using the AES encryption protocol. The only problem with this method of encryption is that the password used to encrypt and decrypt the data must be hard coded into the SQL statements in the application. While this is a problem it does however keep the data safe if the database is backed up to a remote server. It also provides some degree of obfuscation in the event of an attacker gaining access to the operating system.
Step 10: Keep a look out for patches
While all these steps will help harden your MySQL server against attacks all your good work could go out the window if you don't keep abreast of new vulnerabilities for MySQL.
These MySQL fortifying steps are provided by Irish security company Espion. Espion provides IT security services including vulnerability assessment and penetration testing for networks & applications, IT infrastructure review and Audit, security policy & procedure review.
Step 1: Run MySQL in a chroot jail
Chroot creates a new root directory structure for an application and restricts the files it can access within the operating system. If your MySQL server gets hacked and the attacker gains a shell on your server all they will see is a restricted environment While chroot can be bypassed it does provide defence in depth and may prove to be invaluable in the event of a MySQL 0-day exploit. Most script kiddies will go for the low hanging fruit and the added difficulty of the chroot jail may just move them along to easier picking.
The steps involved in configuring a chroot jail for MySQL are outside the scope of this article but full details can be found in the article "Securing MySQL: step-by-step".
Step 2: Restrict or disable remote access
MySQL runs on a default port of 3306. If you are running your MySQL server on a separate server from the application server then you should restrict access to this port using a host-based firewall such as IPTables.
If you are running both your application server and your MySQL server on the same server then you can disable networking completely in MySQL and use Unix sockets as the communication channel instead. This stop the MySQL server listening for network connections and further reduces the attack surface of the server.
Step 3: Change default root password and change root username
By default the root MySQL account contains an empty password. This should be changed as soon as your MySQL installation is complete.
It is also a good idea to change the name of the root account to something else. This will create an additional level of obfuscation if an attacker attempts to brute force the password for the root account.
Step 4: Remove anonymous accounts and accounts with empty passwords
MySQL creates accounts with anonymous access by default and, needless to say, these should be removed.
Step 5: Remove sample database
MySQL installs a sample database by default called "test". Best practise dictates that we should remove this.
Step 6: Run MySQL as an unprivileged user
MySQL should always be run as an unprivileged user in order to reduce the potential damage to the operating system and other processes in the event of a successful attack against MySQL.
Step 7: Grant minimum privileges for database users
When making connections to the MySQL database from your application you should use an account with only the minimum permissions to perform its required actions. This is in line with the principle of least privilege.
Step 8: Enable MySQL logging and restrict access to logs
Almost all startup scripts for MySQL now have logging configured but you should always ensure that MySQL is logging to the /var/log/ directory to make analysis of logs easier in an incident response situation.
Step 9: Encrypt data stored in the database using MySQL built-in functions
If the data being stored in the database is sensitive then it should ideally be encrypted. MySQL provides inbuilt SQL functions to encrypt and decrypt data using the AES encryption protocol. The only problem with this method of encryption is that the password used to encrypt and decrypt the data must be hard coded into the SQL statements in the application. While this is a problem it does however keep the data safe if the database is backed up to a remote server. It also provides some degree of obfuscation in the event of an attacker gaining access to the operating system.
Step 10: Keep a look out for patches
While all these steps will help harden your MySQL server against attacks all your good work could go out the window if you don't keep abreast of new vulnerabilities for MySQL.
These MySQL fortifying steps are provided by Irish security company Espion. Espion provides IT security services including vulnerability assessment and penetration testing for networks & applications, IT infrastructure review and Audit, security policy & procedure review.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
