LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-04-2005, 06:53 PM   #1
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Securing MySQL


I have installed MySQL 5.0 onto my new server. Currently the server is in the process of being built so it is presently behind a firewall and router with its own iptables ruleset as well. I've searched around, but haven't found many helpful links on securing MySQL 5.0 outside of the post-installation and security tips suggested by MySQL.

So far I have:
1. Added a password for the root user (both from localhost and my host name)
2. Dropped the 'test' database

Other than that, I haven't found any suggestions or tips for additionally securing the MySQL software. Of course I am familiar with the concepts of (chroot) jails, but would like to work at the more proactive angle right now. Are there any additional actions I should take directly related to MySQL?
 
Old 11-04-2005, 07:39 PM   #2
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Rep: Reputation: 15
I blocked access to port 3306 at the firewall level to everything but one static ip I work from. When I need to access the db I either use the MySql control center from that machine or I ssh in and do it from the command line.

I'm also interested in hearing what other people do to secure MySQL
 
Old 11-04-2005, 08:05 PM   #3
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,114

Rep: Reputation: 312Reputation: 312Reputation: 312Reputation: 312
You could run MySQL in a chroot jail. If you Google around I think there are some guides, but I haven't actually tried it myself.
 
Old 11-07-2005, 05:51 AM   #4
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
You could bind tcp port 3306 only to localhost if you don't need to connect to mysql remotely.
 
Old 11-07-2005, 07:54 AM   #5
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Original Poster
Rep: Reputation: 31
Thank you for the suggestions thus far. As mentioned, this server already has an iptables firewall ruleset. The default policy for input is to drop, and the port for MySQL (3306) is not included in the list that accepts input. I suppose there could be a rule in the output table to prevent it from making communication out through the internet facing interface, but I think there would have to be an assumption that it didn't fork to a different port when communicating.

As for the chroot jail, you can use the application makejail to help setup a jail for MySQL. In Debian, I just use apt-get to install it. It wouldn't surprise me if there was an emerge package for it in Gentoo. A jail is more of a post-incident utility that limits damage once the service has been compromised. I would like to focus on actions to prevent the service from being compromised.

Last edited by int0x80; 11-07-2005 at 07:56 AM.
 
Old 11-07-2005, 10:55 AM   #6
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
You could always require the remote clients to use SSL.
 
Old 11-22-2005, 04:32 PM   #7
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Original Poster
Rep: Reputation: 31
Came upon this site today, thought others may find it helpful.
http://www.linuxexposed.com/Articles...plained-2.html
 
Old 11-23-2005, 05:47 PM   #8
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,378

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
The first order of business is to restrict access to MySQL, and the simplest ways to do that is the same stuff that would be true for any and all of the various daemons that are running on your system. Basic firewall rules can do this handily in most cases. Demilitarized zones and all that rot...

Perhaps the rules for who may and may not "reach" MySQL needs to be more elaborate even within your network. In that case, you might need to use technologies like VPN within your internal net. SSL is a reasonable alternative in some situations.

When you finally reach MySQL and are able to log in to it, the basic password management rules apply. I think the most important recommendation here is that you should never give any one MySQL user more privilege than it actually needs. The IDs used by web-sites, in particular, should be highly restricted.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql. NoviceW Linux - Networking 17 09-17-2014 02:13 PM
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock welery Linux - Software 19 03-06-2014 07:19 AM
ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql. suziecorbett Linux - Software 8 10-09-2008 01:52 AM
mysql error Can't connect to local MySQL server through socket '/var/lib/mysql/mysql. Dannux Linux - Software 3 03-24-2006 08:44 AM
securing php, apache and mysql javier_ccs Linux - Security 5 10-18-2005 11:08 AM


All times are GMT -5. The time now is 11:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration