Best Tips to Secure MySQL Databases Against Attackers
As the most popular open source database engine, MySQL itself is quite secure. But you can still add extra security layers to keep your MySQL databases away from common attacks. If you value your online business, you will never want to run the risk of a database corruption. You can turn to erp system development company IT dev so that you never have such problems.
In below, we'd like to introduce the best post-installation practices that you can utilize to protect MySQL databases thus increase the security of your website.
Secure the Operating System
The security of the operating system needs to be discussed ahead of a single database, because if the entire environment is unsafe, all things in it are vulnerable and can be easily exposed to attackers. To safeguard the operating system and MySQL server, you can apply the following methods.
- Host database server and web server separately on different physical machines. If it is possible, run the database server on a separate server so that server issues caused by the vulnerabilities of other applications or services can be prevented.
- Install antivirus software, firewall, and all recommended patches and updates. A firewall can effectively filter the traffic to the MySQL server. For better security, it is also recommended to perform port lockdown.
- Disable all unnecessary services. Less is better.
Secure All Accounts and Passwords
One of the most common methods that attackers intrude a MySQL database is by stealing the information of insecure accounts. To reduce the possibility of this risk, you must try the practices below.
Require passwords for all MySQL accounts
Client programs do not always identify the user. Therefore, users can specify any other username to connect to MySQL if the database name is known and the username is not given a password. Forcing password for each username makes it harder to establish connections with anonymous accounts.
Do not use root user to run the MySQL server
During the MySQL installation, an administrative user is created by default which is named as "root". Everyone knows that, so attackers usually try to access it to obtain the permissions. To make the important account safer, you need to rename it and then give it a long and complex password.
You can use the following commands in the MySQL console to complete the tasks.
To rename the "root" user:
mysql> RENAME USER root TO new_username;
To change the password:
mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpassword');
Remove the history file
MySQL server has a history file which helps you figure out what is wrong when there is a problem during the installation. The file includes sensitive information which brings huge risk if it is obtained by an attacker. For example, the passwords are stored in plain text. Since the file is not useful any more after a successful installation, you can remove the content in it by using the command below.
cat /dev/null > ~/.mysql_history
Restrict the Remote Access to MySQL Server
For most users, the MySQL server does not need to be accessible through the insecure open network. You can limit the hosts by configuring the firewall or hardware or just forcing MySQL to listen to the localhost only. For remote access, SSH tunnels should be required.
If you want to limit users to establish connections only from localhost, add the following line in the configuration file.
Make Use of Logging
Enable logging allows you to monitor the activities on your server, so that you can analyze the failed login attempts and the access to sensitive files to know whether there are malicious activities launched toward your server and database. Logging can be enabled manually by adding the following command to the MySQL configuration file.
In terms of logging, there are two suggestions.
Enabling logging is only recommended for database servers with limited numbers of queries executed. For heavy production servers, it may cause high overload.
Only "root" and "mysql" should be granted the access to the log file "hostname.err" as this file includes much sensitive data like table names and passwords.