A general "checklist" for securing MySQL/MariaDB varient relational databases in Linux

Introduction


I am back with a a new topic for this week! a couple of months ago, I was playing around with and testing out MySQL database here in Fedora, so that I can learn the ropes for it if I need to configure and use it someday! I decided to create a simple security "checklist" for the first blog entry this week, to help get you moving in the right direction, after reading some suggestions from the manual. Instead of going into a detailed fashion, about what exact steps you need to take to secure the database in the best possible fashion exactly, I am going to list some "general" purpose steps that you can take if you are building a LAMP stack for instance in Linux. Here is the list (It's not exhaustive), but I may or may not add more resources to it in the future! [1]

Common Security tips for securing MySQL/MariaDB databases:


  • Make sure that only certain individuals have "root" access to the database (see below)
  • Always put root passwords into the DB (even if you just using the server as a "test" server and not a live production one)
  • Make sure all of the passwords in the database are encrypted with SHA-2 algorithm or better (MD5 and SHA-1 are no longer collision resistant!)
  • Make sure, in whatever server side language you are using to access MySQL/MariaDB, including PHP, RoR, or Python that you are using either filter functions or regular expressions to "drop" any illegal database queries and prevent SQL injection and XSS attacks! Even relatively simple ones. 
  • If you choose to use SSL 3.0/TLS 1.3 at the transport layer with the database make sure AES with a 256-bit key is being used along with signed CA certificates, from a TRUSTED CA.
  • If you choose not use SSL 3.0/TLS 1.3 at the transport layer with the database make sure the AES-128 algorithm is used SPARINGLY on certain database queries (due to performance and speed issues), unless your running it the cloud with AWS or Azure.
  • Always make sure to perform backups of the database using sqldumper or similar tools in Linux, excluding running them in the cloud with AWS or Azure (they often don't mention this in System Admin books)
  • If you are an "advanced" user consider setting up a web-based Intrusion Detection System (IDS) on top of the database to "alert" you of any attempts at SQL injection or XSS attacks on the database itself. 
  • If your an "advanced" user, using Debian / Fedora / CentOS / Red Hat for running your server, consider isolating the MySQL/MariaDB daemon within a sandboxed Docker container, even inside of virtual machines.
  • If you are an "advanced" user, using Debian / Fedora / CentOS / Red Hat for running your server consider using SELinux in "enforcing mode" on the MySQL/MariaDB daemon, even inside of virtual machines.

That should cover you on all the bases! I am going to add more references to the list below, as I continue to find more good books and manuals on database security. In the meantime, if you are a DBA or Systems Admin I strongly recommend you use the guidelines above for securing your server! failure to "cut corners" may lead to a data breach (in the case of LinkedIn breach in 2012, this was exactly what happened. The developers were using MD5 and SHA-1 to hash the passwords which are not collision resistant, coupled with the fact that most users passwords were "very weak". Most passwords were less then 10 characters, using alpha-numerics). I hope you enjoyed this weeks entry. I will be back in a couple of days or next week, with a new entry. In the meantime, I will attempt to update this list with more database books and manuals, if I come across some good ones that are thorough!

Reference:



1. MySQL 5.5. "Security in MySQL" http://dev.mysql.com/doc/mysql-security-excerpt/5.5/en/index.html accessed 10 Dec 2012. 2012

Comments

Post a Comment

Popular posts from this blog

Encoding Opus files in Linux with opusenc for your own collection and HTML 5

Introduction Hello everyone! I am finally back to writing a new blog entry, after taking a very long month off. I hope all of my U.S readers had a great Fourth of July and are enjoying the summer. Today, I am going to be discussing and showing you how to encode with the the new IETF working audio codec called "Opus". Briefly, Opus is a combination of Xiph.org "CELT" codec and Skype's "SILK" codec combined into one project. It's a low-latency audio codec that was designed with "scalability" in mind and does things "fundamentally" different, even though it should sound the same if not better in different situations for speech and music. The project was finally completed this past winter and standardized and will be used in the new WebRTC project (for video conferencing), Skype (for video calls), and other companies that wish to use it. Google is NOW (as of July 2013) incorporating it, into the next generation codebase of WebM, wh
Read more

Encoding Vorbis files in Linux using oggenc for your own music collection and HTML 5

Introduction In today's topic, I will be showing readers different ways you can encode your music collection, if you just moved over to Linux from Windows using open source codecs! You do not have to encode your music files with Vorbis, due to the fact that MP3 is also supported in Linux and HTML 5, but there are some substantial benefits to doing in this day and age (at least from the perspective of an open-source nerd 8-)). The first is you don't have to worry about royalty's and licensing rates (especially if you are opening up a store for indie musicians). The second is that both objectively and subjectively Vorbis sounds substantially better and has been greatly improved with the help of dedicated "audiophiles" and the open source community, since it's first public release over a decade ago, way back in 2002. Today, I will show you some tips and tricks if you are new to encoding your music collection in Linux using the oggenc command-line program in Li
Read more

Transcoding H.264 files to Google's WebM format (VP8/Vorbis) in FFMPEG 0.6 or better using Linux for your own collection and HTML 5

Introduction Note: I want to stress that I DO NOT CONDONE using this guide to encode movies that are infringing upon international and local copyright laws (which include the WIPO Treaty in Europe and the DMCA in the U.S). These examples ASSUME your encoding material in which you OWN The RIGHTS too! I will not be held responsible for individuals that are using it to encode copyrighted material in those respective countries! If there are disputes about this or any other questions please DO NOT hesitate to contact me right away! Thank you. This week I am going to focus on showing you how to transcode videos to WebM, which is playable in both VLC and most HTML 5 compatible web browsers including Firefox, Chrome, Opera, and I.E 10! If you recall way back several months ago (if you had been following my old blog) I showed you some code snippets for how to encode directly to WebM using an older version of libvpx 0.6.1 code named "Bali", that came out last year, but has since be
Read more