Tips for Improve Mysql,MariaDB Security

MySQL brands itself as the world’s most popular open source database. As popular as MySQL database is among developers and SQL enthusiasts, it is equally popular amongst hackers. In today's article, you’ll learn some tips and tricks for securing your MySQL or MariaDB databases 


  1. Remove Users Without Password

    There are already created users, some of  some of which can connect to the database without a password or, even worse, anonymous users.This has changed in MySQL 5.7 which, by default, comes only with a root account that uses the password you choose at installation time. Still, there are MySQL installations which were upgraded from previous versions and these installations keep the legacy users. Also, MariaDB 10.2 on Centos-7 comes with anonymous users. Please note that users with very simple passwords are almost as insecure as users without any password. Passwords like “password” or “qwerty” are not really helpful.

     
    2.  Remove Users Without Password
     
    MySQL by default creates several anonymous users that essentially serve no purpose after installation. These accounts should therefore be removed, as their presence on the system give attackers an entry point in the database.
     
    3.  Change default port mappings

    MySQL by default runs on port 3306. This should be changed after installation to obfuscate what critical services are running on which ports, as attackers will initially attempt to exploit default values.

    4.Do not run MySQL with root level privileges

    MySQL should be run under a specific, newly-created user account with the necessary permissions to run the service, as opposed to directly as the root user. This adds some auditing and logging benefits while preventing attackers from gaining access by hijacking the root user account.

    5. Limit or disable SHOW DATABASES

    Again, stripping remote attackers of their information gathering capabilities is critical to a secure security posture. For this reason, the SHOW DATABASES command should be limited or removed entirely by adding skip-show-database to the [mysqld] section of the MySQL configuration file at /etc/my.cnf.
     
     
     
     
    References:
    [1] https://www.upguard.com/blog/top-11-ways-to-improve-mysql-security
    [2] https://severalnines.com/database-blog/ten-tips-how-achieve-mysql-and-mariadb-security

     

     

0 Comments