LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Securing MySQL (https://www.linuxquestions.org/questions/linux-security-4/securing-mysql-380039/)

int0x80 11-04-2005 06:53 PM

Securing MySQL
 
I have installed MySQL 5.0 onto my new server. Currently the server is in the process of being built so it is presently behind a firewall and router with its own iptables ruleset as well. I've searched around, but haven't found many helpful links on securing MySQL 5.0 outside of the post-installation and security tips suggested by MySQL.

So far I have:
1. Added a password for the root user (both from localhost and my host name)
2. Dropped the 'test' database

Other than that, I haven't found any suggestions or tips for additionally securing the MySQL software. Of course I am familiar with the concepts of (chroot) jails, but would like to work at the more proactive angle right now. Are there any additional actions I should take directly related to MySQL?

Jukas 11-04-2005 07:39 PM

I blocked access to port 3306 at the firewall level to everything but one static ip I work from. When I need to access the db I either use the MySql control center from that machine or I ssh in and do it from the command line.

I'm also interested in hearing what other people do to secure MySQL

btmiller 11-04-2005 08:05 PM

You could run MySQL in a chroot jail. If you Google around I think there are some guides, but I haven't actually tried it myself.

pk21 11-07-2005 05:51 AM

You could bind tcp port 3306 only to localhost if you don't need to connect to mysql remotely.

int0x80 11-07-2005 07:54 AM

Thank you for the suggestions thus far. As mentioned, this server already has an iptables firewall ruleset. The default policy for input is to drop, and the port for MySQL (3306) is not included in the list that accepts input. I suppose there could be a rule in the output table to prevent it from making communication out through the internet facing interface, but I think there would have to be an assumption that it didn't fork to a different port when communicating.

As for the chroot jail, you can use the application makejail to help setup a jail for MySQL. In Debian, I just use apt-get to install it. It wouldn't surprise me if there was an emerge package for it in Gentoo. A jail is more of a post-incident utility that limits damage once the service has been compromised. I would like to focus on actions to prevent the service from being compromised.

stickman 11-07-2005 10:55 AM

You could always require the remote clients to use SSL.

int0x80 11-22-2005 04:32 PM

Came upon this site today, thought others may find it helpful.
http://www.linuxexposed.com/Articles...plained-2.html

sundialsvcs 11-23-2005 05:47 PM

The first order of business is to restrict access to MySQL, and the simplest ways to do that is the same stuff that would be true for any and all of the various daemons that are running on your system. Basic firewall rules can do this handily in most cases. Demilitarized zones and all that rot...

Perhaps the rules for who may and may not "reach" MySQL needs to be more elaborate even within your network. In that case, you might need to use technologies like VPN within your internal net. SSL is a reasonable alternative in some situations.

When you finally reach MySQL and are able to log in to it, the basic password management rules apply. I think the most important recommendation here is that you should never give any one MySQL user more privilege than it actually needs. The IDs used by web-sites, in particular, should be highly restricted.


All times are GMT -5. The time now is 01:00 PM.